If you run the command:
That file will be executed at that point in the code. However, this command can also look like this:
And it will also execute that code. So if you had:
include($variable); where variable was set based on input from the user at some stage, the user could theoretically execute arbitrary code.
For example, I saw one website where the urls were all index.php?a=filename and index.php was a template with:
in the middle. If someone were to form a url such as index.php?a=http://www.theirdomain.com/maliciousscript.php,
problems would have ensued.