Hi, Code: ========= ob_start(); switch ($this->command) { case 'include': @include($x); break; default: @readfile($x); } $data = ob_get_contents(); ob_end_clean(); ========= The above code snippet is used in a class which would allow developers (of a specific CMS) to include files without having to put php include tags on the template view. The include path will be using the server root path, and the include files will probably be stored above the web root. My question: What would be the best way to "clean" and secure the include string? Maybe something along these lines (untested): $invalidChars=array(".","\\","\"",";"); // things to remove. $include_file = strtok($include_file,'?'); // No need for query string. $include_file=str_replace($invalidChars,"",$include_file); What about checking to make sure the include path is root relative, vs. http://...? What do ya'll think? Any suggestions? Many thanks in advance! Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php