Disallow Directory changes
Improved security for websites using the php include. Only includes from the same directory are allowed, any double-dots in the name are filtered.
<?php //for empty id, call home page if ($_GET['id'] == '') { $id=('start'); } $id=($id.$ext); ?>
//First cut out any .. from the parameter to prevent directory changes $home=('start') //name for homepage $ext=('.php'); // set file extension if ($_GET['id'] == '') { $id=$home; } $_GET['id'] = str_replace('..', $_GET['id']); $id=($_GET['id'].$ext); //Check if file exist if (file_exists('./' . $id)) { include './' . $id; } else { //page not found -> show homepage include './'.$home.$ext; }