"Please help me debug this virus." I'm paraphrasing something that was posted, a long while ago now, on a board I look after ... and I deleted the code pretty darned fast, as I didn't (and still don't) want to form a source of information for the less scrupulous.
I was looking at a few issues on one of our servers earlier today, and found myself looking through page after page of attempted injection attacks, where a rogue visitor to the web site (almost inevitable an automated program) supplies a parameter that's the URL from another site, in the hope that my PHP script will read that other page and run the code therein on my server ... here's an example of the sort of thing (and this one's quite well known, and I have obfuscated it anyway, so I am giving few secrets away)
Now ... this issue turned out to be a side shoot of what I was hunting down, but it acts as a timely reminder to be very careful indeed about using PHP's require
(and that may not be an exhaustive list either) on anything that could remotely be a variable derived from a user input via $_REQUEST
What's the risk?
It's an injection attack (yes, I have the code. No - I am not reproducing it here!) and if it succeeds in finding a hole in your system, chances are (and experiences I have heard of confirm) that it will install itself on your server which will then form a part of the breeding colony ...
How many hack attempts like this are we getting?
I estimate it's now thousands per day.
How do I know if I'm infected
Well ... if you search your web pages for kangkung or RoxTeam and find something that you didn't know was there ...
Please note that this is just an example of one form of injection attack - this article is not intended to provide a complete of definitive list in any shape or form! (written 2008-08-31, updated 2008-09-04)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articlesH117 - Security in PHP 
A small teaching program - demonstration of principles only - (2016-02-08) 
An easy way to comply with the new cookie law if your site is well designed - (2012-06-02) 
How to stop forms on other sites submitting to your scripts - (2012-04-15) 
Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22) 
Protecting your images from use out of context - (2010-08-29) 
Security considerations in programming - what do we teach? - (2010-03-22) 
Injection Attack if register_globals in on - PHP - (2009-02-04) 
Who is watching you? - (2008-08-10) 
Defensive coding techniques in PHP? - (2008-07-02) 
PHP - Sanitised application principles for security and useability - (2008-06-16) 
Are nasty programs looking for security holes on your server? - (2008-02-17) 
A story about benchmarking PHP - (2007-12-23) 
Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19) 
Error logging to file not browser in PHP - (2007-10-11) 
Easy handling of errors in PHP - (2007-08-27) 
Injection attacks - safeguard your PHP scripts - (2007-02-20) 
Learning to write secure, maintainable PHP - (2007-01-25) 
What is an SQL injection attack? - (2006-11-27) 
A lion in a cage - PHP - (2006-11-10) 
Robust checking of data entered by users - (2005-08-27) 
Spotting a denial of service attack - (2005-06-12)
Some other Articles
Think before you sendCalling procs in Tcl and how it compares to PerlReceptionServer overloading - turns out to be feof in PHPInjection Attacks - avoiding them in your PHPPointing all the web pages in a directory at a databaseThe Rise and Rise of First Bus FaresDoes fruit and veg drag on?EasterholicWhat is my real and my effective ID? [Linux]