Exposed Code

When you program in php or any language that includes or imports plain text code from other files into some source code you are writing, you watch out for involuntary exposure of the include code. The situation to watch for

You should name your include files with a php suffix ...inc.php which means your code will be interpreted, not printed as might otherwise be the case.

Best advice is keeping all you don't want to risk reading in a browser away from the document root, ie away from the htdocs tree.

Generally you should be on guard against using variable data from a query string to create filenames as in

<?php
    include "includes/{$_GET['somevar']}.inc.php"
?>

Variables unfiltered like that may be tainted, and should of course be filtered at the very least. If used unfiltered this could be used against your application by injecting filenames resulting in including malicious code.