Turn off register_globals - if you pollute your scripts with global
variables like that you are asking for trouble. If you can't make sure you
clean the variable.
Using include("$page.php") is asking for trouble.
If you can get register_globals switched off (it's off by default in PHP5
for this very reason) then use the kind of security procedure so well
explained on brainbulb.com (also well worth watching the audit cast):
Maybe something like:
$page = isset($_GET['page']) ? trim(strip_tags($_GET['page'])) : 'page';
// clean data here, ie check suffix, reun tests, and only then...
include "$page.php";
