Best way to avoid code injection in PHP

Question

My website was recently attacked by, what seemed to me as, an innocent code:

Answer 1

Use a whitelist and make sure the page is in the whitelist:

  $whitelist = array('home', 'page');

  if (in_array($_GET['page'], $whitelist)) {
        include($_GET['page'].'.php');
  } else {
        include('home.php');
  }