str0ke wrote: > With register globals = off he wouldn't be able to initialize the > variable anyways correct? Yes, the advisory is fake. (I was just pointing out that the exploit blocker was not the str_replace()) Best regards, Francesco `ascii` Ongaro http://www.ush.it/