In response too:

--------------------

"Be careful when you use something like index.php?showpage=news.php and include() that $showpage file.
If a malicious user would call your script as index.php?showpage=http://some.server/script.php it would include that script and run it in *your* script's scope.

-------------------

Thats true......I suggest to pass a parameter that only your code understands, and have a switch / case statement to handle the parameter. Then you can decide what to do with it, every other parameter is discarded.

Ex:

-----------
index.php?showpage=1
---------

in the code that receives this parameter:

---------------

if (!empty($_GET['showpage']))
{
switch($_GET['showpage'])
{
case '1':include_once 'inc/news.htm'; break;
case '2':include_once 'inc/scores.htm'; break;
case '3':include_once 'inc/pub.htm'; break;
default: include_once 'inc/index.htm';
}
}
else
include_once 'inc/index.htm';
------------

It has worked for me and prevents hacking through the URL. If anyone sees a major default in this please let me know, I will change my approche to a safer one.

Kuju
----
Manual Page -- [url]http://www.php.net/manual/en/features.remote-files.php[/url]
Edit Note -- [url]http://master.php.net/manage/user-notes.php?action=edit+33957[/url]
Delete Note -- [url]http://master.php.net/manage/user-notes.php?action=delete+33957&report=yes[/url]
Reject Note -- [url]http://master.php.net/manage/user-notes.php?action=reject+33957&report=yes[/url]