Well, I just "upgraded" a number of PHP scripts to function with register_globals turned off, and now better understand what's required to work with variables more securely.
I wanted to share that the extract() command turned out to be a big help. Using it meant I didn't have to put $_POST[' '] around every variable passed by a form. Instead, I put one or both of these lines of code at the beginning of scripts that use forms or receive vars passed via the URL: extract($_POST); extract($_GET); extract() creates local variables using the 'key' and 'value' from the $_POST or $_GET arrays. I even discovered it works with multidimensional arrays that may be passed by forms. In that case, if I have an array named "formvar" that collects all data from the form (i.e., $formvar['name'], $formvar['address'], etc.), then I use extract this way: extract($_POST['formvar']); This will create local variables named $name and $address that contain the values passed from the form. Here's where you can find more about this function: http://www.php.net/manual/en/function.extract.php One thing to remember is that if you put extract() in a custom function (which I did initially), it won't really work because the variables are created only within the scope of the function, so, as soon as it returns to the script, the vars it created are released. Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php