Am I the only one that doesn't program that way? I have no code (written by myself) that is vunerable from this (based on the functions affected). I do have a customer using phpadserver which will need to be resolved, but I've always created my own variables and I would be interested to know if others of you choose the serialize or not. Thanks John