How can I sanitize my include statements?

Question

How do I clean this so users can\'t pull pages outside of the local domain?

Answer 1

The safest way is to whitelist your pages:

$page = 'home.php';

$allowedPages = array('one.php', 'two.php', ...);

if (!empty($_GET['page']) && in_array($_GET['page'], $allowedPages))
    $page = $_GET['page'];

include $page;