But I looked at the file and I don't see any vulns. The code he quoted seems OK to me. The dev escapes all the input. And I can't find any LFI vulnerabilities in the IPN handlers either. The only file included is inc/init.php and it takes no input at all in the require/include line so I don't understand....are we safe or not? Would be good if bingo culd actually explain isntead of saying it's not secur.