File Inclusion/Remote File Inclusion
Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.
The example URI of a vulnerable site will be /include.php?file=howto.php
PHP for this may look like:
<?php include($_GET['file']); ?>
|The above PHP code is vulnerable. Do not use this on your site!|
An attacker that sees
may change the URL to
In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.