IntroductionThe main objective of performing a static analysis of a source code with respect to auditing web applications is to detect the vulnerability. This article therefore describes a proposed algorithm that will be used to examine two main potential vulnerabilities in PHP source code; LFI (Local File Inclusion) and RFI (Remote File Inclusion). The approach will be as follows: a definition of the model used to find such file functions whose abuse potential is very high due to unhandled user input is first performed. In specific terms, to detect the vulnerability of this model, normal expressions are used which are considered a quick and simple technique. In this process, a result that we call false positive (FP) will result from the safe use of the inclusion function. The resulting FPs can occur first since the arguments to this function are not part of the user-supplied variables. To detect the vulnerability in the lines of code, an extract of all these variables provided by the user is therefore carried out. Just like a multi-level assignment, the vulnerability, on the other hand, would propagate to variables, thus also causing hidden user-provided variables to be extracted. Thus, in order to reduce these FPs, another model definition is carried out in order to establish a means of preventing the vulnerability of the inclusion functions. Although it allows the generation of widely used dynamic codes and multi-level indirection with respect to access to functions and variables, the results in a number of similar projects highlight that many problems presented through this approach can be detected and eliminated. This is despite static analysis...... middle of paper ...... areas relating to inputs must be firmly certi ed to avoid various security threats. This section will provide an overview of methods for preventing LFI and RFI susceptibilities. Also highlighted are the different ways of handling file enclosure abuse on websites and more particularly in codes and finally examples of PHP format in code will be provided. One of the best and most effective ways is the use of a white file of good recognized values ​​for example listing all areas and languages ​​supported by the application and at the same time eliminating any entries which does not meet these criteria or also those which do not appear in the list. The next step is to check the source code after a file has been viewed and included. Therefore, if the code is verified, then it has access to the file and if not, it is excluded..