rocknbil - 12:51 am on Jun 7, 2010 (gmt 0)
If that is your real structure, $_GET['i'] is expected to be a number, right? You want to make sure the file actually exists . . . and it's not someone injecting something for a different php include, like, oh I donno, phpinfo.php . . . .
(isset($_GET['i']) and is_numeric($_GET['i']) and ($_GET['i'] > 0)
$include = $_SERVER['DOCUMENT_ROOT']."/".$_GET['i'].".php";
Accept only what you expect and throw everything else away. If you expect a number or nothing, this would filter it just as well.
With an array, you have a controlled set of known inputs, which kinda does the same thing, it's only allowing includes "within my accepted set." When you're deciding the included file based on input, you need to be more restrictive.
would reveal a whole lotta stuff about your server you don't want some people seeing, if you forget and leave it on there.