I'd get the file name variable using _GET, and if there is none, then it would load the home page content file.
Is there anything I'm overlooking or should take into consideration with this method?Is there a downside to using the query string to send the page name to load?For security reasons i'd remove the .php in the variable but still include the .php file extension in the index page (if you get my flow)
Also doing this opens your site to script injections. To stop this you'd want to clean the p variable by using:
$page = $_GET['p'];
$bad = array(%26quot;%26lt;%26quot;,%26quot;%26gt;%26quot;,%26quot;.%26quot;);
$good = array(%26quot;*%26quot;,%26quot;*%26quot;,%26quot;*%26quot;);
$clean_page = str_replace($bad,$good,%26quot;$page%26quot;);
Now when people will attempt to close off some script and run another such as:
?p=%26quot;%26gt;%26lt;?php phpinfo(); ?%26gt;
the code will read it as:
?p=%26quot;**?php phpinfo(); ?*
(the %26quot;%26gt; closes off a html script which allows you to then run a php info script allowing php setup data to be displayed)
which makes the attack useless.
I may have forgotten some script endings but as far as I know that should do the trick
