Daniel Convissor wrote: > You mean _improperly validated_ user input. Come on, who would pass > unsanitized user input to ANYTHING? :) Well gees -- you pass unsanitized user input to addslashes(), dontcha? We're not talking about sending user input to a database query or shell command -- the unserialize() vulnerability happens inside PHP itself.