[snip] When you use register_globals it extracts the vars from get, post, cookie and session, or used to. But, I don't think session vars are in $_REQUEST. [/snip] $_REQUEST is no different than $_POST or $_GET from a security standpoint. And using register_globals did not carry a security risk as long as the programmer did every responsible thing with regard to that input. $_GET['foo'] $_POST['foo'] $_REQUEST['foo'] $foo It is all a matter of how you handle foo, the rest is semantics. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
