<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['page'])) {
$page = realpath('includes/'.$_GET['page'].'.php');
$tpl = realpath('templates/'.$_GET['page'].'.html');
if ($page && $tpl) {
include $page;
include $tpl;
} else {
// log error!
}
} else {
// log error!
}
?>
How safe would you say this is?
Gumbo here on Stack Overflow wrote it.
http://stackoverflow.com/questions/524908/dynamic-include-safety/524959#524959
I wanna hear your opinions.
cheers