That is called Cross-Site Scripting (XSS). I have not been able to get access to the variables via an XSS exploit. It appears that Apache renders the php code before sending off the requesting include function.
I also like the .htaccess way of preventing user access to the scripts. This is also worthy of further investigation. Bryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php