I’ve created (after some weird experiences with users in my hosting) small php patch (for version 4.3.10), which disables remote includes.This patch doesn’t work with Zend Optimizer enabled unfortunately :(

Download the patch there. After applying, see php.ini-dist and readme.security

example of bad code:

<?php 
  $page = $_GET['page']; 
  include ($page); 
?>

example of better code:

<?php 
  // filter all unneeded characters 
  $page = eregi_replace("[^a-z0-9_]","", $_GET['page']).".inc.php"; 
  // test if $page exists and is file 
  if (strlen($page) && @file_exists($page) && @is_file($page)) { 
    require_once ($page); 
  } 
?>