In a web application, the developer may include code stored on a remote server or from a file stored locally on the server. Referencing files other than the ones in the web root is mainly used for combining common code into files that can be later referenced by the main application.
Remote file include, or RFI as it is widely known, is an attack technique that exploits the file inclusion mechanism when the programmer is not careful and dynamically references external code directed by user input without proper validation. This may result in the application been tricked to run a script from a remote server under the control of the attacker. PHP is most widely attacked by a remote file include vulnerability, but this flaw is not limited to PHP.
The include function in PHP language is the one that allows the programmer to reference code from a remote server. The following PHP code will extract the value of the script parameter from the HTTP request...