LFI includes local server files via unsanitized input.
RFI includes remote files — executing attacker-controlled code. Common in PHP applications using dynamic file includes.
LFI can read /etc/passwd, config files, log files (log poisoning). RFI enables direct code execution by hosting malicious PHP on attacker's server. Prevention: whitelist allowed include files, disable allow_url_include in PHP config.