We weren't discussing field names in the db (SQL Server) and giving the names of ASP files is not a security risk as far as I know. Besides, anyone can look at their URL to determine what ASP module is in use at the time. For example, as I'm writing this, I can look up and see I'm using post_reply.asp and the querystring that was passed to it.