[!--quoteo(post=347945:date=Feb 21 2006, 01:28 PM:name=heckenschutze)--][div class=\'quotetop\']QUOTE(heckenschutze @ Feb 21 2006, 01:28 PM)
One very large problem with the code mentioned, is remote script execution is possible.
Eg if I made a script on my site that destroyed everything if run, I could tell your script to run/include it.
The following would work:
Therefore, causing destroy.php to be included into your page, as if it was a file on your site.
A common work around is to use switches:
$page = "page1.php";
$title = "My page title.php";
$page = "main.php";
$title = "Home";
Could I also stick my site URL infront of the $page value? So that if someone tried to put their own URL in it would be [a href=\"http://mydomain.com/index.php?page=http://theirsite.com/destroy\" target=\"_blank\"]http://mydomain.com/index.php?page=http://...ite.com/destroy[/a]
Then $page would equal [a href=\"http://mydomain.com/http://theirsite.com/destroy\" target=\"_blank\"]http://mydomain.com/http://theirsite.com/destroy[/a] and this would give a 404.