Home/ Questions/Q 8727367
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T08:25:26+00:00

I’m using: <?php $file = $_GET[‘page’]; //ie: http://localhost/?page=index include php/{$file}.php; ?> But I need

  • 0

I’m using:

<?php

$file = $_GET['page']; //ie: http://localhost/?page=index
include "php/{$file}.php";

?>

But I need to know what is the safest way to trim the $file variable befor calling include.

I was thinking about something like:

//-replace '.' with ''
//-replace '/' with ''
//-replace '\' with ''

But I’m sure there is a better way of doing, so I’m asking for your help, please.
I need it to be very secure.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you need to be very secure, don’t include it as it comes, even after trimming. Instead, use a dicitionary-like association between the variable you get and the file you need to include:

    <?php
$file = $_GET['page'];

$allowed_pages = array('index', 'profile', 'legal', 'about');

if (in_array($file, $allowed_pages)) {
    include "php/" . $file . ".php");
} else {
    die("The page " . $file ." does not exist");
}
?>

    This way, you will never get any unexpected includes.

    • 0