Attacker changes value of our variable Usually with %register_globals% Also from included files Unauthorized gain of access rights SQL injection ... Initialize variables For the sake of security Separation of included files Initialize all variables Turn off %register_globals% Access outside data through %$_GET% and co. Errors %E_NOTICE% detect some problems Warns also about working with non-existing keys of initialized array Doesn't warn about adding elements to uninitialized array The code is full of ugly %(!isset($_GET["search"]) ? "" : $_GET["search"])% statements. You are not warned about insecure %$auth["user"] = "root"%. Fool page with wrong initialization if %register_globals% is enabled Fool page with wrong array initialization hoping that %E_NOTICE% will save its live http://php.vrana.cz/inicializace-promennych.php http://php.vrana.cz/promenne-zvenku.php