Secuity considerations when including files

I am preparing to setup a request routing system in php based on the $_GET array.

For example, for the url ?r=login I'd use include myfiles/".$_GET['r'].".php"; Which would po开发者_如何学运维int automatically to myfiles/login.php

I know I need to sanitise the get input, but I'm concerned as it is possible to maliciously redirect the include. Can anyone suggest how to prevent this? Also can I check the file actually exists before calling it?

I have some ideas of my own, I just want to know I've not missed any considerations.

It is always a good idea not to include files specified through a url. If you still want to do that, use a switch statement or any array to filter the stuff and include only what you need:

Example 1:

$page = $_GET[...];

switch($page){
  case 'login': include 'login_page.php'; break;
  // and so on
  default: die("bye bad guy !");
}

Example 2:

$page = $_GET[...];

$pages = array('page1.php', 'page2.php', 'page3.php');

if( in_array($page, $pages) )
{
    include($page);
{
else
{
   die("bye bad guy !");
} 

I would suggest you to have a look at these related security tuts:

• PHP 5.2.0 and allow_url_include
• PHP Security Mistakes
• Top 7 PHP Security Blunders

If you can, use whitelist. If you can't, then:

• allow underscore and alphanumeric characters only
• put the include files into a separate directory