Best way to avoid code injection in PHP

Question

My website was recently attacked by, what seemed to me as, an innocent code:

Answer 1

Some good answers so far, also worth pointing out a couple of PHP specifics:

The file open functions use wrappers to support different protocols. This includes the ability to open files over a local windows network, HTTP and FTP, amongst others. Thus in a default configuration, the code in the original question can easily be used to open any arbitrary file on the internet and beyond; including, of course, all files on the server's local disks (that the webbserver user may read). /etc/passwd is always a fun one.

Safe mode and open_basedir can be used to restrict files outside of a specific directory from being accessed.

Also useful is the config setting allow_url_fopen, which can disable URL access to files, when using the file open functions. ini-set can be used to set and unset this value at runtime.

These are all nice fall-back safety guards, but please use a whitelist for file inclusion.