I figured out why all the injection attacks end with a questionmark; they're trying to make sure a hardcoded prefix is not appended to pagename they're trying to include. With the questionmark at the end anything appended will be part of the GET variables, garbled or not (the attacker doesn't care, neither does PHP).A simple example:if ($_GET['page'] == 'help' || $_GET['page'] == 'home') include $_GET['page'].".html";It seems as if the suffix restricts the visitor to including only .html files, right. But no, when $_GET['page'] == "exploit.php?" then the page 'exploit.php' will be included.Interesting information :)