If you've ever struggled with allowing user input on your site (much less a require based on it), then you know the frustration that we're talking about. Thankfully, EvilWalrus.com might just have the answer to ease your mind.

In their latest article, Including based upon user input, the safe way, they start of describing what not to do (accept input without validation), and how to avoid a sneaky user getting to files outside of your document root. Their way around this common problem is to create an "allowed array" of page names. Then, all the script has to do is check this array (an in_array) and ensure that there's a match. If not, it's probably someone, somewhere trying to break things.

This method is one of many out there (obviously), and some might be a bit more dynamic, but this method is stable and pretty fool-proof. Personally, I like to check and ensure that the path they've input is under the document root - but that's just me...