A common attack vector used by attackers against web applications is to attempt to convolute the commonly used include(), include_once(), require() and require_once() functions. These functions will include files into the currently executing script, and even evaluate their contents. This can lead to a number of dangerous conditions that expose web applications to attacks.
Suppose you're using the following, common, script in your application:
Check: PHP Arbitrary File Include