One more clue, or lack thereof story. I stumbled upon this from some consulting/integration work I'm doing for a client.
My client outsources a major application from a company. The company provides an XML based API to do various management functions. You pass commands in a simple XML format via POST'ed forms.
Here's where the strangeness starts- You have to pass the admin username/password to access the management features, obviously.
I'm doing all the API work server-side with LWP::UserAgent because there's NO WAY IN HELL that I would send the admin username/password to the client. What the hell are they thinking? This app stores personal info about people (potentially CC numbers too). I pointed this out to them, and they said "We'll look into this. . ." I plan on following up with them soon, because I just can't let this one slip.
The outsourced app is actually pretty amazing, feature/function-wise, it just seems like there is a disconnect somewhere along the way. .
-Any sufficiently advanced technology is