// input has to be command:section:value: ... no whitespace or html if (!isset($_GET['cmd']) || strstr(@$_GET['cmd'], ' ') !== false) die(); $cmd = $_GET['cmd']; ?>