Welcome to WebmasterWorld Guest from 184.108.40.206
Using databases means that SQL injection could be a problem, so using mysql_real_escape_string [uk2.php.net] or mysqli_real_escape_string [uk2.php.net] (the mysqli version will protect against mulitbyte character hacks, I dont believe that the mysql version does). Obviously assuming a mysql database, but the other databases have similar function, or you can write your own if you are that way inclined.
The other method would be to use prepared statements [uk2.php.net].
As you said not allowing users to decide what you include. As then you could include whatever they want you to do. This also should include you not using any of the other file functions with user supplied data i.e. fopen($_GET['file'] would not be a good thing.
The easiest way to secure your site is to view all user supplied information as dangerous. Then you shouldnt be tempted to allow that data to be used when it hasnt been cleaned.
The extend of that cleaning is up to you.