Personally I'd trust php over javascript any day... there are various reasons, one of which (of course) is that the code isn't exposed to the world in the way it is with Javascript... I'd think exposing your code to the world makes it *far* more likely that somebody would succeed in hacking their way in... after all, they can see which URLs they're required to come from just by viewing the source... not with php they can't... if they don't know which URLs are accepted, how are they going to know what to put in their hack?

Sean