PHP File Inclusion

Thank you for visiting We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.

Last revision (mm/dd/yy): //

Vulnerabilities Table of Contents


PHP, as many other languages, allows the inclution of files in order to provide or extend the functionality of the current file.

Risk Factors



  • Remote file inclusion using variables from the request POST or GET


Note: A reference to related CWE or CAPEC article should be added when exists. Eg:

[[Category:FIXME add links

In addition, one should classify vulnerability based on the following subcategories: Ex:[[Category:Error_Handling_Vulnerability|Category:Error Handling Vulnerability]]

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]


Category:OWASP ASDR Project Category:PHP Category:Vulnerability