Rowan Collins wrote:
There's even HTML attributes to tell the browser
which ones should
start checked, so unless someone *really* tried they couldn't select
less than two anyway.
Never assume that. Never assume any browser works in any way you want,
and never assume malicious users might not send erroneous POST requests
by themselves. If you make assumptions, the cases you assume are
impossible can in some cases give rise to an exploit.
Timwi