So I have to replace all my links, one by one in that manner:
That's one good way to do it.
Basically, in its original form, your script was vulnerable to variable poisoning.
No validation was performed on the incoming variable $page.
Worse still, its unrestricted use in include means that an attacker can include any arbitrary file that is accessible by your script.
If URL fopen wrappers are enabled on your server, an attacker could include a file from an external server under his/her control.
This is bad.
But the problem here is that your server administrators are taking the wrong steps to try and improve security, in my opinion.
Take for example a properly validated script, using an array instead of a switch:
<?php
if (isset($_GET['page'])) {
$pages_array = array("foo.php", "bar.php", "baz.php");
if (in_array($_GET['page'], $pages_array)) {
include $_GET['page'];
} else {
//invalid page
include 'default_page.php';
}
} else {
//page not set
include 'default_page.php'
}
?>
This is not vulnerable to variable poisoning, but on your server apparently wont work since the server admin did not consider it.
Instead, they should set register_globals in php.ini to Off and possibly disable URL fopen wrappers.
But ultimately the burden of validating your incoming variables properly lies with you.
That said, I've never heard of anyone disabling the use of variables as arguments in a given function.
I thought that one either allowed or disabled the function.
