You can do this: [code]$page = $_GET['page']; $bad_strings = array( "://", "../", ); foreach ($bad_string as $b) { if (strpos($page, $b) !== false) { die("I'm not including that!!"); } } [/code] Another thing you can do is: [code]$page = $_GET['page']; if (ereg("[^a-zA-Z0-9]", $page)) { die("I'm not including that!!"); } [/code] That will reject anything which is not a letter or a number. If you want to allow other characters, you can include them in that regexp. In particular, this rejects ".", "/", and anything else needed to include something from another directory. Even better is: [code]$page = $_GET['page']; $allowed = array( "news", "forum", ); if (!in_array($page, $allowed)) { die("no no no no no, a million times no!"); } [/code] These are all implementations of kenrbnsn's suggestions. Toonmariner, you may have a problem with files like "../../../../../etc/passwd".