Where is $cgi ever defined? $var1 is the cgi object. How is this script vulnerable to scripting attacks? They print out the text 'parameter', not the variable $parameter. Someone really fudged things up here.

Is that the worst the article has to offer? This coulda been a last-minute addition that was published after tech-review. For instance, the tech-reviewer says "Looks great, but add a small example here." Since it is so small, the author doesn't bother to send it back to tech-review. Its a mistake; it happens. Can't you look past that?