PHP File Inclusion


Remote File Inclusion

Remote File Inclusion (also known as RFI) is a type of vulnerability that allows an attacker to include a remote file.

This example injects a remotely hosted file containing a malicious code:

include $_GET['page'];


Local File Inclusion

Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser.

$page = 'pages/'.$_GET['page'];
if(isset($page)) {
    include $page;
} else {
    include 'index.php';


Solution to RFI & LFI:

It is recommended to only allow including files you approved, and limit to those only.

$page = 'pages/'.$_GET['page'].'.php';
$allowed = ['pages/home.php','pages/error.php'];
if(in_array($page,$allowed)) {
} else {