I'm updating an old web-based license key generator for some new products of ours (used only by our on-site tech guys). Anyway the original script used HTTP_POST_VARS instead of just _POST, so I just changed it all to _POST so I didn't have to go turn on register_long_arrays in my php.ini .

Anyway the original author guy came by to check it out and saw I was using the "shorthand" (preferred method from what I've always heard) _POST vars, and he said something along the lines of "Oh, your disabling some of the new security features that way". I've never heard of any security issues using $_POST vs $HTTP_POST_VARS, and google didn't turn much up either. Personally, I don't think theres really any difference and think he was just misinformed on the subject, but was wondering if maybe there is some merit to his statement.

The only functional difference of which I am aware is that the $HTTP_* versions are not "super-global", while the $_POST type vars are. I.e.: $_POST is automatically available in any scope, whereas $HTTP_POST_VARS would have to be declared as global within a function/method definition before it can be accessed.

Thanks for the reply, I wasn't aware that you had to declare them as globals inside a function. But still, the script is so small, it's all a single inline script that generates these keys. Am I correct in assuming there is no "security" risk using just $_POST?

I am not aware of any such risk. Besides, as far as I know from all the php.net literature, the newer, "super-global" versions are the preferred method of accessing such external data, and as such should be used instead of $HTTP_* variables, and also instead of register_globals (http://www.php.net/register_globals) variables (preferably with register_globals disabled so that they are not even an option).

Also, neither the $HTTP_* variables nor register_globals will be available at all in PHP 6.

I am not aware of any such risk. Besides, as far as I know from all the php.net literature, the newer, "super-global" versions are the preferred method of accessing such external data, and as such should be used instead of $HTTP_* variables, and also instead of register_globals (http://www.php.net/register_globals) variables (preferably with register_globals disabled so that they are not even an option).
Thats exactly what I've heard too, and why I've always used them. This guy is just one of those programming gurus that's been doing it for decades so I figured he might have some merit to his statement. I'm just gonna stick with the superglobals because thats the recommended method, easiest method, and I can't see any security risks involved with it. Thanks for the input.