The "Jelly & Custard" blog has a good reminder today for both those experienced with templating in PHP and those just starting out - be careful how you include.
Its quite common for people to have one main template, and 'include' their content into the main content area. This works well for small informational sites, where the main content is the bit that changes on each page.
There's nothing wrong with this as such, however, the issue is when the input isn't validated.
He gives one or two examples of how it's usually implemented, how it can be exploited, and two ways to help combat the problem - a php.ini setting and some simple input validation.