this looks bad to me, but it solves a lot of problems.

basically I got files inside /app/webroot

I got a .htaccess file, that redirects URLs to /loader.php?include_page=[whatever you type], as follows:

RewriteEngine on
RewriteRule ^(.*)$ loader.php?include=/$1 [QSA,L,NC]

so, for instance, if you visit /search/foo/, apache redirects traffic to /loader.php?include=/search/foo/

eventually (after doing lots of stuff), loader.php includes the page specified in $_GET['include'], in this way:
include '/app/webroot' . $_GET['include']

it looks to me like a bad security hole, but I've tried all possible values I could think of, and nothing bad happened.

I think this doesn't allow loading external sites or system files like /etc/passwd, because the way the include is, the file must be inside /app/webroot, and whatever it's in this directory you access from the web anyway.

am I missing something? is this bad?

any suggestion appreciated.