php: dynamic includes. is this way safe?

[jamesmorris86]

I've been looking into using dynamic includes in my layout and I have found this tutorial which claims to be a safe way of doing it. As im still very new to php would someone more experienced kindly be able to tell me if this code is safe.

Thanks

<?php if (isset($_GET['x'])) {
   if (strpos($_GET['x'], "/")) {
      $dir = substr(str_replace('..', '', $_GET['x']), 0, strpos($_GET['x'], "/")) . "/";
      $file = substr(strrchr($_GET['x'], "/"), 1);
      if (file_exists($dir.$file.".php")) {
         include($dir.$file.".php");
      } else {
         include("index2.php");
      }
   } else {
      if (file_exists(basename($_GET['x']).".php")) {
         include(basename($_GET['x']).".php");
      } else {
         include("index2.php");
      }
   }
} else {
   include("index2.php");
} ?>

 

[Speedy]

This should work fine, can't see why it wouldn't work. If you could give us more detail like what you're trying to achieve, I could take a more detailed look at the code and (if necessary) I could give you some alternative ways of doing it

 

[Xelene]

No it's not safe. You are filtering some of the input, but basically still including a file based on parameters an unknown Chinese government sponsored hacker is sending.