Disallow Directory changes

Improved security for websites using the php include. Only includes from the same directory are allowed, any double-dots in the name are filtered.

<?php //for empty id, call home page
	if ($_GET['id'] == '') { $id=('start'); }
	$id=($id.$ext);
?>

//First cut out any .. from the parameter to prevent directory changes
 
$home=('start') //name for homepage
$ext=('.php'); // set file extension
 
	if ($_GET['id'] == '') { $id=$home; }
	$_GET['id'] = str_replace('..', $_GET['id']);
	$id=($_GET['id'].$ext);
 
//Check if file exist
	if (file_exists('./' . $id)) {
		include './' . $id;
	} else {
		//page not found -> show homepage
		include './'.$home.$ext;
	}

Disallow Directory changes

Seiten-Werkzeuge