To further clarify how include(...) can harm your own server...
I can upload a file to my webserver called crack.txt that contains the following:
Notice that this is a .txt file - my web server won't execute the PHP code contained in the file.
Now if I can make YOUR web server run the code
Then YOUR web server will show me it's /etc/passwd file. Of course I could have done almost anything else in my source code - delete files, run other programs, etc - almost anything that the web server's user account has permissions to do.