Part of the problem with having client-side logic is that it really does boil down to methods and conditionals. If one were to dig into the code behind say a login button, they might not be able to "properly" log in (say if a database record was added to store a log of the user's activity), but they could still follow the callback trail to see what happens *after* the page gets confirmation of the user's credentials. If the login is based on session data, as mine are, then it won't do them a lot of good, but that's beside the point. The point is that they could manually trigger the code that follows a successful login, which could feasibly put an application's database at risk.