> For the complete documentation index, see [llms.txt](https://everythingblackkk.gitbook.io/everythingblackkk/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://everythingblackkk.gitbook.io/everythingblackkk/php-security/local-file-inclusion-lfi-php.md).

# Local File Inclusion LFI (PHP)

## Local File Inclusion (LFI)

The Local File Inclusion (LFI) vulnerability is a web-app security flaw that lets an attacker view files they normally shouldn't be able to see. This happens because the developer’s code allows a user to view a specific image or display a particular file by passing a value in a certain parameter. That, of course, is a problem , an attacker could read files beyond those they’re permitted to access. We’ll go over this in detail now.

***

### PHP code vulnerable to LFI.

```php
<?php

    $file = $_GET['file'];
    include($file);  

?>
```

Now an attacker can use something like this:

```shell
http://localhost:8000/meta.php?file=../../../../../../../../../etc/passwd
```

so The Attacker can view the `/etc/passwd` file or read configuration files. Like SSH Prv Keys `/home/*/.ssh/id_rsa`

### How To

#### Whitelist Approach

Only allows specifically approved files in `$Allow_Pages` Array Can Display on Web App And With `in_array` Function in PHP that we used to compare the file the user is trying to read with the list of allowed files.

**Also We Can Use Input Validation with `basename()`**

removes any directory path components, preventing directory traversal attacks

**PHP.INI**

Also We Can Disable allow\_url\_include in PHP.ini File To prevent (RFI)

```
allow_url_include = Off
```

## Secure Code:

```php
<?php
    if(isset($_GET['file'])){
        $Allow_Pages = ['home.php' , 'bla.php' , 'demo.txt'];
        $file = basename($_GET['file']);

        if(in_array($file , $Allow_Pages)){
                include($file);
        }else{
            echo "\n[+] File : ". $file; 
            echo "[!] Not Allowed! Try Harder To Hacke Me!";
        }
    }
?>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://everythingblackkk.gitbook.io/everythingblackkk/php-security/local-file-inclusion-lfi-php.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.