Hi,

I have a filebased navigation system that lists out files in a directory with glob, exclude some files and finally highlight the current selected page.
Se script below. I wonder if there are any security issues I should address since I'm using $_GET ?
As far as I know there is a function called htmlspecialchars(), but I'm not shure this is what I should use and where to put it?

 <?php
# Filabased navigation script
foreach (glob("*.php") as $file) {
        if(preg_match("/(calendar|endre|index|test|glob|scandir)\b/i", $file)) continue;
        $highlight = $_GET["page"] == $file ? " <font color='red'>" . ucfirst(substr($file,0,-4)) . " </font> " : $file;
        print " <a href='index.php?page=$file' style='text-decoration:none'>" . ucfirst(substr($highlight,0,-4)) . "</a> | ";
}
print "</p>";

if(!$_GET[page]) {
        # Blank page
}
else {
        # Prints out selected page
        include ($_GET[page]);
}
?>

1. What's "Filabased"? (They make soccer equipment/apparel, right?)

2. I like it, with a couple observations:

   A: a list across the page is efficient, but not pretty. Not sure how much that bothers me ... will you style it?

   B: <font> tags are deprecated ... how about a span instead?

   C: I would NOT, repeat would NOT "include" the file called by GET. Of course, that might depend on where you have this placed, but running something via GET could represent a potential security issue. I damn near fainted because I put your script into my current WD, and put a listed scriptname in the GET string, and it started an operation in my app ... fortunately, the app informed me it had no data queued to act upon