Say I have variable $chargecustomerscard which, later in the code, which actually does the monetary processing in my script. Normally, this variable is only set after the status is determined from a database query, cookie checks, etc.

Certainly this variable name is sufficiently hidden from the end user since they can't see the script. But if a more malicious user were to discover that this variable exists, and that one is populating the variable space by the methods used here, then that user could easily "overwrite" the correct value of that variable just by generating the right URL request, and cause numerous problems.

It's nearly always better to explicitly define what you are looking for than to exclude the cases you don't want to look for when it comes to security in this fashion.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain