thanks for all the great info guys! I actually did try using include() and ob_start() but couldn't get it to work right. I probably just don't know what I'm doing since I have never used ob_start() before.
also, I don't really see how eval() is any more risky than include() - either way the code is being executed, so if there was malicious code being loaded, it executes both ways.
or am I missing something? sorry, I'm still an intermediate coder.