I learned a lot at Stackoverflow, it's my favorite programming website, and researching here I found the answers for many of my questions. Now that I've finished the code I need to know: does it have any security flaw?
It needs to get the domain name from the url in order to see if a var file containing that expression exists on the directory and output it's content. Your help is really appreciated!
Would be enough if I sanitize HTTP_HOST using htmlspecialchars and preg_replace? Using strip_tags would be overkill, no? Removing those special characters from the array is also redundant, don't you think?
Edit:
I'll alter the code and also add protection to the include files themselves. Many thanks!
No. You should be using a white-list of allowed expressions. For something as dangerous as include you definitely don't want to rely on black-list and simple sanitization.
You would also hardcode which directory contains your PHP files.
Supposing you keep all the *var.php files in a special directory (let's say /var/www/include/vars/) you could read them into an array, and confine the selection within the boundaries of that array, instead of just is_file()ing:
$vardir='/var/www/include/vars/';
$varfiles=array();
foreach(scandir($vardir) as $fn)
if(($fn!='.')&&($fn!='..'))
$varfiles[]="$vardir$fn";
/* Next, do whatever sanitizing you see fit */
if(array_find($fnvar)) include_once $fnvar;
Note that this, essentially, is a whitelist, mentioned in the comments: If you create a new {xyz}var.php in the $vardir directory, you are actually inserting a new entry in the whitelist.
So as @ack__ points out too, you can't avoid a whitelist one way or another...