@Richard: You don't understand the Problem with _REQUEST. It is not about the fact that someone can forge GET, POST; COOKIE variables. It is about the fact that COOKIEs will overwrite GET and POST data in REQUEST.
Isn't it solved by setting variables_order to correct value, at least partially? I.e. if you have variable in GET/POST it won't be overwritten by the COOKIE one, of course there still may be a scenario when the variable is set only in COOKIE, but then doesn't omitting 'C' from variables_order exclude cookies from _REQUEST?
-- Stanislav Malyshev, Zend Software Architect [EMAIL PROTECTED] http://www.zend.com/ (408)253-8829 MSN: [EMAIL PROTECTED] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php