PHP - Is “include” function secure?

Question

I\'m using the \"include\" function (e.x. \"include \'header2.php\'\" or \"include \'class.users.php\'\") to add the header or session class in my website. I don\'t really r

Answer 1

Include can be abused if you do something like this:

include($_GET["page"]);

and then call the URL:

myscript.php?page=index.php

attackers can then substitute index.php for hxxp://hackerz.ru/install_stuff.php and your server will gladly run it.

include itself is perfectly safe. Just make sure to always validate/escape your input.