Dev Wiki - Xoop VUF says to use xoops_confirm function to avoid using queryF on get requests.

Can somebody please expand on this statement so that an old newbie like me will understand.

Secondly, is there some guidance anywhere about the use of $xoopsDB->queryF()? The Wiki says to use with caution!!! but fails to elaborate on what caution needs to be taken.

Thirdly (and last for today...) are there any guidlines on using TextSanitizer? When is it appropriate to use, and what is it capable of doing?

Thanks.

The xoops_confirm function displays a confirmation page with - usually - a statement and a confirm and a cancel button.
These could be "Are you sure you want to delete this user..." or "Do you really want to uninstall this module..."

The purpose is to make sure that the operation is performed through a POST request and not a GET request. POST is rather more difficult to spoof for an attacker, since the attack would have to be performed through a form on the same site - which is normally not allowed just anybody to create.

queryF() will perform a query no matter the POST/GET request method and no matter if the HTTP_REFERER is blocked or not and therefore it can lead to CSRF (seasurf) attacks, where an administrator is lured into submitting something he didn't intend to submit.
Therefore, queryF() should only be used where it is desirable, but not critical that it is submitted correctly.

An example could be the article reads incrementer and the session data update, which is not really that dangerous should an administrator accidently perform this action.

OK. Thanks for that. I'm enlightened two fold.

Anybody want to add about TextSanitizer?