"Given a choice between dancing pigs and security, users will pick dancing pigs every time." (Gary McGraw and Edward Felten) What stays the same? - request_var() keeps working as it used to, alternatively you can directly use request::variable() which allows choosing which super global you want to read So what's new? - request::disable_super_globals() which disables super globals. This function causes any direct use of $_POST, $_GET, $_REQUEST or $_COOKIE to result in an E_USER_ERROR. We hope that this will force MOD authors to at least think about validation as they will have to read about how to use the request class. - request::is_set() / request::is_set_post will be used instead of using isset directly on super globals - request_var() now supports arrays with arbitrary depth - request_var() can be used with an array as the variable name to directly access values in mutli dimensional arrays. What's next? - request::disable_super_globals() will be active by default (set in common.php) - all code will be adjusted to use the new class consistently - tests for the request class to make sure it works as designed and will not change behaviour between releases I've also already updated all the code within functions.php to use the request class. git-svn-id: file:///svn/phpbb/trunk@9101 89ea8834-ac86-4346-8a33-228a782c2dd0