g1smd - 12:13 am on May 23, 2012 (gmt 0)
I see that I bounced it purely on the use of underscores in the URL request.
I never use underscores in URLs. This ruling also has the handy effect of blocking direct access to PHP include files as their file names often do have underscores.
If that rule hadn't been there, then the combination of POST and "php" in the URL would have kicked it to the kerb anyway.