To call a web page without getting hacked, use this:
$phpself = basename(__FILE__);
$phpself = substr($_SERVER['PHP_SELF'], 0, strpos($_SERVER['PHP_SELF'],$phpself))
. $phpself;
The first line gets the file name
the second line insures that it comes only from your site.