i would like to have a REGEX to filter/match the QUERY_STRING whenever contains the parameters like theese php|data|ftp|http|..|/|:// and any other character that can be used for Remote File Inclusion.
Thank's to all for the time:
PS: i know this is better done with htaccess but i need a regex now.
If you want to prevent remote file inclusion, you could simply disable the stream wrappers, e.g.
allow_url_include - this option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once().and for any other URL aware functions
disable allow_url_fopen - This option enables the URL-aware fopen wrappers that enable accessing URL object like filesIf you want to check if the query param is a URL, you can use parse_url
if (parse_url($url) === FALSE) {
or use the filter_* functions
if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {
Don't, if that's your security, it's likely to break. Whitelist and/or check for existance of local files before including/requiring anything. Better yet: don't let anyone have any direct influence of what files you include with outside variables.