PHP security issue

software development

<?php if (isset($_GET['page']) && file_exists("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php")) { include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php"); } else { include("{$_SERVER['DOCUMENT_ROOT']}/includes/sorry.php"); } ?>

thanks to Atropos7 for pointing this out

And it is flawed.

For example visit this URL:

Now you didn’t put banner.jpg in the includes directory did you? Click on that link then see what the browser does to the URL.

But this “trick” isn’t really a trick, every developer should know not only why it works but also how it affects the security of their applications and computer systems. This doesn’t just happen with URLs, it happens with paths in using files and directories. -//-

I’m searching it now, but what can I do to fix this or prevent this?