There is, in fact, only one way that I've encountered so far to include remote code without introducing security issues, and it's not for the faint of heart. Takes resources and skill.
koto did a series of blog posts about the subject itself a while ago, as well.
It's a 3-part series, the posts are linked in order.
http://blog.kotowicz.net/2010/07/harden ... clude.html
http://blog.kotowicz.net/2010/07/re-har ... urely.html
http://blog.kotowicz.net/2010/08/harden ... clude.html
I in fact have contributed some code to the PharUtil library he brings up in part 3, as well. It is a good set of tools,