This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

PHP File Inclusion

Jump to: navigation, search
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 02/1/2016

Vulnerabilities Table of Contents


PHP, as many other languages, allows the inclution of files in order to provide or extend the functionality of the current file.

Risk Factors



include '/path/filename.php';
include_once 'path/filename.class.php';
require '../path/';
require_once '';

Related Attacks

  • Remote file inclusion using variables from the request POST or GET

Related Vulnerabilities

Related Controls

Related Technical Impacts


Note: A reference to related CWE or CAPEC article should be added when exists. Eg: