A common hurdle for attackers during an LFI (Local File Inclusion) attack is the way the web server processes the included file. If an attacker tries to include a raw PHP or configuration file, the server might attempt to execute it as code or fail to display it correctly because of special characters.
This exploit usually happens when a developer trusts user input in a file-loading function. For example, consider this vulnerable PHP code: include($_GET['page']); A common hurdle for attackers during an LFI
Defending against PHP wrapper exploitation requires a "defense in depth" strategy: consider this vulnerable PHP code: include($_GET['page'])