The above code provides a little security - it limits people to only including PHP files from the local machine. However, a user can choose ANY PHP file on the machine (subject to the web server's account permissions) and include that file by using a value for page like '../../example'.

You could prevent this by checking the value using a regular expression (maybe '^[a-z_]*$') or by using the realpath function to check that the resulting page is still in the desired directory.

(Note that if you were using the safe_mode setting it would be a bit different, but may still be insecure).

Hope this helps.

Regards,
Clancy