Remote code injections attempt to run the attacker’s code on a server, often by exploiting the functionality of the include or require functions.
The eval(), exec(), system(), and shell_exec() functions are vulnerable to remote code injections.
Include / Require attacks occur when including and executing files (possible from remote servers and includes remote code execution)
Counter Measures
• Check data against a whitelist
• Remove paths using basename()
• Set allow_url_include = off in php.ini that helps somewhat but not sufficient, as some attack vectors remain open