IntroductionThe main purpose of performing a static analysis of a source code regarding web application control is to detect vulnerability. This article therefore describes a proposed algorithm that will be used to examine two potential vulnerabilities in the core PHP source code; LFI (local file inclusion) and RFI (remote file inclusion). The approach will be as follows: first, a de nition of the model used to find such functions whose potential for abuse is very high due to unhandled user inputs is defined. In specific terms, normal expressions are used to detect the vulnerability of this model, which is considered a quick and easy technique. In this process some results that we call false positives (FP) will result as a consequence of using the inclusion function safely. The resulting FPs to start with may occur because the arguments to this function are not part of the user-supplied variables. To detect the vulnerability in the lines of code, an extract is made of all those variables provided by the user. Just like a layered assignment, the vulnerability on the other hand would spread across variables, thus also requiring the extraction of user-supplied hidden variables. Then, to decrease these FPs, another model definition is made to establish a means of preventing the vulnerability of embedding functions. Although it allows the generation of widely used dynamic codes and indirect multi-levels regarding function access and variables, results in a number of similar projects have brought to light that many of the problems presented using this approach can be detected and eliminated . This is despite static analysis… middle of paper… in relevant areas the entries should be firmly certified to avoid various security threats. This section will provide some insights into methods of preventing susceptibilities to LFI and RFI. We also highlight various ways to handle file embedding abuses on websites and, more significantly, in codes, and finally we will provide examples of PHP format in code. One of the best and e cient ways is using a blank file with good recognized values ​​for example listing all areas and languages ​​supported by the application and at the same time deleting all entries that do not meet these criteria or even those that do not appear in the list. The next step is to check the source code after a le has been viewed and included, then if the code checks it is given access to the le and if not it is excluded.