2
The xoops_confirm function displays a confirmation page with - usually - a statement and a confirm and a cancel button.
These could be "Are you sure you want to delete this user..." or "Do you really want to uninstall this module..."
The purpose is to make sure that the operation is performed through a POST request and not a GET request. POST is rather more difficult to spoof for an attacker, since the attack would have to be performed through a form on the same site - which is normally not allowed just anybody to create.
queryF() will perform a query no matter the POST/GET request method and no matter if the HTTP_REFERER is blocked or not and therefore it can lead to CSRF (seasurf) attacks, where an administrator is lured into submitting something he didn't intend to submit.
Therefore, queryF() should only be used where it is desirable, but not critical that it is submitted correctly.
An example could be the article reads incrementer and the session data update, which is not really that dangerous should an administrator accidently perform this action.
"When you can flatten entire cities at a whim, a tendency towards quiet reflection and seeing-things-from-the-other-fellow's-point-of-view is seldom necessary."
Cusix Software