: Never pass user-controllable input directly into functions like include() , require() , or file_get_contents() .
Example output when the attack succeeds: : Never pass user-controllable input directly into functions
PHP includes several built-in "wrappers" for various URL-style protocols. The php://filter wrapper is particularly powerful; it is a meta-wrapper designed to allow intermediate processing of a stream before it is read. Under normal circumstances, developers use this for legitimate tasks like data compression or character encoding. However, in the hands of an attacker, it becomes a tool for . 2. Why Base64 Encoding? in the hands of an attacker