In response too:


"Be careful when you use something like index.php?showpage=news.php and include() that $showpage file.
If a malicious user would call your script as index.php?showpage=http://some.server/script.php it would include that script and run it in *your* script's scope.


Thats true......I suggest to pass a parameter that only your code understands, and have a switch / case statement to handle the parameter. Then you can decide what to do with it, every other parameter is discarded.



in the code that receives this parameter:


if (!empty($_GET['showpage']))
case '1':include_once 'inc/news.htm'; break;
case '2':include_once 'inc/scores.htm'; break;
case '3':include_once 'inc/pub.htm'; break;
default: include_once 'inc/index.htm';
include_once 'inc/index.htm';

It has worked for me and prevents hacking through the URL. If anyone sees a major default in this please let me know, I will change my approche to a safer one.

Manual Page -- [url][/url]
Edit Note -- [url][/url]
Delete Note -- [url][/url]
Reject Note -- [url][/url]