Done and done. //Get secret; protects against all characters with ASCII code between 0 and 31 : . \ + * ? [ << ^ > ] ( $ ) # $secret = shell_exec('cat /tmp/oid-shared_secret-'.addcslashes($_GET['openid_assoc_handle'],'\0..\37;.\+*?[<<^>]($)#').'.secret'); Should be good, no? -Kris (PS, Damn the reply-to!) On 2005/06/29, at 9:19 PM, Phil Harnish wrote: What if they just encode a newline and add a more malicious shell command of their own?