what you were doing was still potentially insecure though; if you don't validate $page in some way in your case, then I can include any PHP file that exists on your server as long as I create a relative path. this may have been something you knew, but I'm willing to bet some other people who will take your advice wouldn't have known ;) I don't personally use either of the methods I described (for basically the reason you stated -- maintainability), but I have in the past. and, for the most basic implementations, they're simple and easy.