Skip to main content

File Inclusion

Basic Rules

  1. Keep system and services, including web application frameworks, updated with the latest version.
  2. Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
  3. A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.

  4. Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them, such as allow_url_fopen on and allow_url_include.

  5. Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
  6. Never trust user input, and make sure to implement proper input validation against file inclusion.
  7. Implement whitelisting for file names and locations as well as blacklisting.

No comments to display

Back to top