I'm guessing you're trying to point out $findfile() can be used to go from unintended identifier evaluation (which is the *cause* of your problem here) to performing commands. This is already well known.
The use of timer in that script is rather silly btw - as it provides no flood protection (a bottleneck can still exist - just 1 second later). I'm aware it was just an example, but maybe you need to look at a better system for queuing with your webserver (such as storing information in a file or hash table and sending it out on sockwrite).
Hope that helps
