Msg#: 3608122 posted 9:59 pm on Mar 22, 2008 (gmt 0)
As long as you have static file includes, or dynamic but selected ones, you shouldn't have a security issue with the include function. All you should take care of is that the users won't be able to change what include files your script includes.
include("myscript.php"); is safe
if ($_GET["a"] == "one") include("one.php"); else if ($_GET["a"] == "two") include("two.php"); is also safe
include($_GET["textbox1"]); is not safe, because they can send anything in that textbox1 variable, and include anything they want.
Msg#: 3608122 posted 6:07 pm on Mar 24, 2008 (gmt 0)
Yes, you are correct. It is user-supplied input and can never be trusted. Always check to be sure the value being passed to you contains what you expect before you use it.
I also note you are using one of the alternative methods for invoking PHP. Although there is really nothing wrong with using that format you may want to reconsider and use the more common format, <?php Details: Basic syntax [php.net]