You could try to rewrite output such as php extensions to .dz or whatever you want. However, that is pretty long and could cause errors on pre-made scripts (VBulletin) The best way to prevent an RFI is through mod_security and disable certain things such as FOPEN and FMAIL. To prevent an LFI do not allow php scripts to be uploaded at all, and test your software against say: 1) evilshell.php rename to evilshell.php.gif 2) upload your new fancy "gif" through your software. 3) if the shell appears, your web application is fault in parsing the extentsions. Test everything and keep track on security updates on 3rd party scripts. You may want to also check out my latest blog entry called "ClickJacking" It operates on the same idea of an LFI but instead of an evilscript/code it uses adobe flash... Cheers,