PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I am including a file that is dependent on a $_GET request. All the files that can/should be included are located in a modules/ directory. Are there any issues with using this method as a white list?
Would it be better to store all valid "modules" in my database and query it? If so, why? (I'd rather not rely on a database if possible, but security is more important.)
That isn't a white list. You could put all valid module names into an array in addition to what you are already doing. If a module name does not exist in the array it's not valid. That would be a true white list.
What you have done is only secure if end users cannot manipulate the file being included. For example, what would happen if someone accessed the page using a url such as this: