I recently discovered a security hole on my server where one of my clients was using $_GET data unchecked in an include statement. Now I know this is incredibly bad programming technique but I have quite a few sites on this server. Rather than trawling through all my clients code, is there a configuration setting that affects includes and basically disallows any script from including files from outside the server? Does safe_mode do this?
