Simple PHP security patch

I’ve created (after some weird experiences with users in my hosting) small php patch (for version 4.3.10), which disables remote includes.This patch doesn’t work with Zend Optimizer enabled unfortunately :(

Download the patch there. After applying, see php.ini-dist and

example of bad code:

  $page = $_GET['page']; 
  include ($page); 

example of better code:

  // filter all unneeded characters 
  $page = eregi_replace("[^a-z0-9_]","", $_GET['page']).".inc.php"; 
  // test if $page exists and is file 
  if (strlen($page) && @file_exists($page) && @is_file($page)) { 
    require_once ($page);