I have lately been reading into PHP security a bit to sharpen up on my knowledge.

A couple months ago I have a "white hat" hacker come to me about one of my sites where he was able to actually get the contents of my PHP scripts (not the client side code, the actual PHP code) by using an LFI approach (Local File Inclusion).

I read into the issue and had a few ideas and made some adjustments to the PHP.ini file but I was curious as to how exactly he was able to do that? Does anyone know of any good articles out there that go into alot of detail or mind explaining it a little?

I assume most of the time this happens is due to a faulty php.ini configuration by the server host as mostly I work with clients who have shared hosting, would that be accurate?