Looks like the finally fixed PHP like I had it worked out in my head. In the new 4.1.0 version they added an option so CGI/Form variables are not automatically created as PHP variables. In the below example it would be really easy to hack this script, just pass in authenticated in the CGI.

<?PHP> if (authenticate_user()) { $authenticated = true; } ... ?>
With the new version, the form variables get put in their own arrays, that you would have to call. In this example it would get: $_GET['authenticate']; So you have to explicitly call the variable now, which should make it more secure.