I hacked a browser game a few years ago for fun and the exploit I found and used was basically this:

<$php

$f = $_GET['f'];
$p = $_GET['p'];

$f($p);

So it was possible to pass a function and it's parameter in the URL to the server. The author used this to include() sub pages. I to highlight_file()s.