It is necessary to include files (include) with a maximum safety.

Solution:
Here are PHP functions which include files:

• include
• include_once
• require
• require_once

Attacks try to execute a code from other site.
To protect yourselves from such attacks you should:

• Verify passed data.
  Make verification with a regular expression or other data means gotten by a scripts.
• PHP settings
  Make sure that there are the following strings in php.ini file:allow_url_include = Off //including files forbidden by URL (for non-local files)
  allow_url_fopen = Off //opening URLs forbidden, only local files
  register_globals = Off // disable initialization of global variables
  safe_mode = On //enable safe_mode
• Use absolute path.
  Include a file with absolute path only. If file doesn’t exist PHP search this file in folders from include_path.
• Specify files which can be included in a code
  If included files are known, then you should use switch for verification.

  global $page;
  switch ($page)
  {
  case ”:
  include (“pages/main.php”);
  break;
  case ‘page1′:
  include (“pages/folder/page1.php”);
  break;
  }

  It would be better to pass some code as a parameter instead of file name. For example, md5-sum of a path to a file.

• Verify file existing.
  You can verify if a local file exists with file_exists() function. If there are many files, server may be overloaded – be careful!
• Limit files uploading
  Limit file extensions users can upload to a server.
• Exclude from including folders users upload their files to.
  Do not include files from folders with files uploaded by users.
• Do not include files from system folders.
  Clear paths of this kind “../../../../usr/local/apache/logs/access.log” by stripslashes() function