Interaction design • webdevelopment • web art • photography

December 2000

Here's a little advice for any fellow PHP-scripters out there, I've noticed this on several sites now (starting with

If you're using include() in your scripts, be careful you don't literally use a parameter in your urls to include local files. Include() can load and execute any PHP commands from any other server. For example, if your url looks like this:


and your script does this:


people can write a textfile with any php commands they want and execute them on your server by simply using this url:


Solution: if the page you're including doesn't need to execute any php commands, use readfile(). This function will simply print the contents of the file as-is. And if your genuine include file does contain some php, try implementing some sort of if-else condition to make sure only those files get included that you want to be included.