DDisguise

ok, for now i've managed to get this to work for me: <?php .... if(isset($_GET['PID'])) { $page = preg_replace("/[^0-9]/", "", $_GET['PID']); if(file_exists($page.'.php')) { include($page.'.php'); } else { .... ?> So it takes whatever's in PID and removes any non-numerical characters.... so PID=jasdasdm.{{3kjhd displays page 3 and PID=pjasdn/$#% displays the default I guess this will work thanks guys Although, while I'm here, what's regex?

Well an $allowed array would have the same problem as using switch - no time to update for each newly created page... I guess if each page was numeric only? (1.php, 2.php etc) but then how would that work? i don't know the function to perform on $_GET['PID'] to achieve this?

globals.php (snippet) function displayPage() { $dir = "content/" if(isset($_GET['PID'])) { $page = $_GET['PID']; if(file_exists($dir.$page.'.php')) { include($dir.$page.'.php'); } else { include($dir."home.php"); } } else { include($dir."home.php"); } } index.php (snippet) include("ssi/globals.php"); .... <body> <?php displayPage(); ?> </body> .... NOW, this works fine and dandy for all the files which exist in content/ and it displays home.php if the file does not exist in /content/ the problem is, i can still put "index.php?PID=../file" and if the file exists then it still includes it, even outside of the /content/ folder...this could be very troublesome - especially if some ass decides to type in PID=../index Please help, I know i can just use switch($page) but the website is going to be very dynamic - lots of addition of new pages, no time to update globals.php each time a new page is added. So, please help?