PHP is nice, its simple and very easy to learn. Its very secure too, but thats only when you write you php applications correctly with security in mind. One of the worst things you can ever do is this. (Same goes to ASP, Perl and other languages as well)

site.com/phppage.php?filename=somepage.file
Taking the file name to be included in the body of the page as a argument into the php page. It might seem pretty innovative, since no need to mess around with data bases, and setting up id=1 is this page, id=2 is this page, but its just really really bad, the best practice is to use postid= or some sort of different method to differentiate between each file, but some people use it anyway. If there are no checks in the php it self to allow only certain files, one can use ../../../../ to back track into root, then go back up the directory structure and leech files.

site.com/phppage.php?filename=../../../../../etc/fstab
When you do this, all the data from the /etc/fstab file will be displayed instead of the data the website was originally intended to, thus a huge huge security vulnerability.
Files such as the /etc/passwd (although encrypted passwords, one can still find out all the usernames, which then can be used in a social engineering attack). You could include files such as /proc/version to find out whats running on the server, /proc/cpuinfo to see the processors, and pretty much obtain any file you can imagine from the system (except for logs and such of course, which are only readibly by the super user).

Whats worse is you can simply use google to hunt for websites such as these. It just took me 5 minutes to find around 10 different website that this can be applied to. The inurl: filter in google allows you to search for results with certain keywords in the url it self, so one could do assuming that you think the url would contain php, filename, and txt and all in a certain site

inurl:php inurl:filename inurl:txt site:somesite.com
Not only php, this method can also be done in asp, perl, or anything similar. Instead of filename, some might use source, sourcefile, file, datafile, data, etc. You might not even need the last txt, or you can specify it to be htm, html or something similar too.

Hopefully this post was informative to you. If you have anything to add to this, please comment.