This is an issue of security settings on your server. If it's setup properly, it shouldn't be possible for a hacker to do anything like that.
The two main vulnerabilities would be:
- If register globals is enabled and you haven't filled
$template
with a value. - If you somehow allow unauthorised users to upload their own PHP scripts to your server (which is the only way someone can include your PHP script).
The first one should never be an issue as register globals should always be disabled. You should also initialise variables rather than leaving them unset.
The second one is more complex, but shouldn't be an issue unless you've deliberately opened up your security settings. You should normally have suitable file permissions set to prevent Apache (or other webserver user/group) from adding/modifying the main site files, and so on.
With that said, if someone can upload their own PHP scripts to your server, then all bets are off. SQL injection becomes irrelevant at that point because they can probably just as easily access the database directly.