Ok well since I can't seem to delete this post, I'll explain what it was about so maybe other people won't make the same mistake I did. I was having a XSS problem in that one of my variables ($username) was being poisoned. It took me a bit of digging around in the PHP manual to determine it was being set because register_globals was turned on, which automatically assigns variables to GET attributes. So if you have code like: if( isset( $_POST['username'] ) ) { $username = $_POST['username']; } Code (markup): ...and $username isn't initialised in the scope of the whole script, then it can get poisoned by someone typing "script.php?username=nastystring". The fix is to be a good programmer, unlike me, and always initialise your variables - i.e. put "$username = '';" at the top of the script. *goes away to bang his head on a wall for sloppy code*
Thanks for documenting that davedx - you won't forget in a hurry I have scripts called getPostVar and getGetVar which manage this for me function getGetVar($name, $default='') { global $_GET; if (isset($_GET[$name])) $output = $_GET[$name]; else $output = $default; return $output; }//getGetVar $username = getGetVar('username'); Code (markup): I can add validation etc to that and intval() around values is always a good plan. The function gets hidden away in your functions script and you're left with nice clean function calls.
register_globals is off by default (v4.2+). If it's on, you might want to talk to your hosting company and have it disabled. More info on this for those who are interested: http://ca.php.net/manual/en/security.globals.php J.D.