This also means that if you use $_SERVER['PHP_SELF'] as the url for a <form> action, you'd better make sure you filter it using htmlentities(). One urlencoded doublequote would open you up to a cross-site scripting attack. You really did open a can of worms, Michael!