On Tue, Feb 3, 2009 at 12:54 PM, Metzler, David metzlerd@evergreen.edu wrote:
The most compelling reason aside form being more maintainable, is that drupal forms api implements cross-site scripting vulnerability protections that may not have been taken care of in the original code.
It implements Semantic Forgery protection and Cross Site Request Forgery protection. The form can still be vulnerable to a Cross Site Scripting (CSS) attack if the XSS vulnerability is on the same site, but it is safe from a "blind" XSS attack that is done across domains.
The commonly stated phrase "Use Drupal's Form API for safety" only applies when the form is submitted (POSTed) back to the Drupal site. If you are posting to a third party site then it doesn't matter how the form is built on the Drupal page.
Shai - I think you'll have to motivate the client to choose an implementation based on additional features provided by a signup+signup_pay combination (which, by the way, is getting lots of great attention recently from the maintainers including some great sponsored work that Derek Wright has done).
Cheers, Greg