These functions can allow an arbitrary string or file to be executed as PHP code (with the privileges of PHP).
Including arbitrary files into a PHP program can allow code to be injected into that program. Especially including files that are writable in a shared or compromised environment, or where allow_url_fopen is enabled.
See “Includes Bad Practice” below.
The DOM extension supports the use of streams in a number of ways. In particular the use of XIncludes where the path begins php:// or xsl:include tags in XSLT. This behaviour can be turned off (how?) - watch out when working with XML / XSLT from untrusted sources. See XML in PHP5
This function list is probably incomplete.
A common beginners mistake with the include / require functions looks like this;
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>'; echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>'; echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>'; include 'pages/'.$_GET['page'];
Bearing in mind Parameter Manipulation Attacks, it would be possible for the GET variable ‘page’ to contain anything, including directory paths which PHP will resolve e.g.
$_GET['page'] == '../uploads/badscript'
so included file becomes pages/../uploads/badscript.php;
A better solution for this example would be;
echo '<a href="'.$_SERVER['PHP_SELF'].'?page=home">Home</a>'; echo '<a href="'.$_SERVER['PHP_SELF'].'?page=links">Links</a>'; echo '<a href="'.$_SERVER['PHP_SELF'].'?page=contact">Contact</a>'; $pages = array('home','links','contact'); // If the page is known if ( in_array($_GET['page'], $pages) ) { include 'pages/'.$_GET['page'].'.php'; // Otherwise use default... } else { include 'pages/home.php'; }