http://znouza.meinlschmidt.org/blog/programming/phpiing/index.rss we reached the dizzy heights... en http://znouza.meinlschmidt.org/blog/programming/phpiing/050307-0941.html <p> I've created (after some strange experiences with users in my hosting) small php patch (for version 4.3.10), which disables remote includes.<strong>This patch doesn't work with Zend Optimizer enabled unfortunately :(</strong> </p> <p> Download the patch <a href="http://orin.meinlschmidt.org/~znouza/php_patch.txt">there</a>. After applying, see php.ini-dist and readme.security </p> <p> example of bad code: <xmp> <?php $page = $_GET['page']; include ($page); ?> </xmp> </p> <p> example of better code: <xmp> <?php // filter all unneeded characters $page = eregi_replace("[^a-z0-9_]","", $_GET['page']).".inc.php"; // test if $page exists and is file if (strlen($page) && @file_exists($page) && @is_file($page)) { require_once ($page); } ?> </xmp> </p> <p> Links: <div class="box"> <ul> <li><a href="http://php.net/include/">http://php.net/include/</a> </ul> </div> </p>