Well I look a little about rfi and php security and found this include code in dvwa:
<?php
$file = $_GET['page']; //The page we wish to display
// Only allow include.php
if ( $file != "include.php" ) {
echo "ERROR: File not found!";
echo "$file";
exit;
}
include($file);
?>
Well i dont understand why this code its not secure. I talked with some security peoples and they say this code its not secure and I shouldn't use it. I know that its beter to turn of the include option, but i think this fiter can't be passed.
I try a lot of comman attacks, and non of them pass it. I will be glad to hear your opinions