The issue: Variables in include statements can lead to execution of external code With allow_url_fopen = On (default) external code can be included ]]> The solution: Validate included files against a whitelist using arrays or switch statements. 'show.php', 'list' => 'list.php', ); if (isset($files[$_GET['action']])) { require_once $files[$_GET['action']]; } else { echo 'Not a valid action.'; } ?>]]>