Oh, and a security question: currently, this allows access outside the webserver's directories (you can use /index.php?f=/etc/passwd for example). Any good tips on avoiding this kind of problem?


I don't get this problem, probably down to the server configuration, but I've put a simple preg in place to remove anything that isn't alphanumeric, just in case.

$f=preg_replace('/[^0-9A-Za-z]/', '', $f);