file()

The file() function in PHP is used to read the entire content of a file into an array. Each element of the array corresponds to a line in the file, with newline characters still attached. This function is particularly useful for reading and processing files line by line.

file(string $filename, int $flags = 0, resource $context = null): array|false
  • $filename: Path to the file.
  • $flags (Optional): A bitmask of flags for handling the file. Common flags include FILE_IGNORE_NEW_LINES (which omits newline characters from each element of the array) and FILE_SKIP_EMPTY_LINES (which skips empty lines).
  • $context (Optional): A context resource created with stream_context_create() to specify options like headers, proxy settings, etc.

An example can be reading a file into an array:

$lines = file('path/to/file.txt');

if ($lines === false) {
    echo "Error reading the file";
} else {
    foreach ($lines as $line) {
        // Process each line
        echo $line;
    }
}

In this example, file() reads each line of file.txt into the array $lines. The script then iterates over each line for processing.

It can also be with flags:

$lines = file('path/to/file.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

if ($lines === false) {
    echo "Error reading the file";
} else {
    foreach ($lines as $line) {
        // Process each line without newline characters and skipping empty lines
        echo $line;
    }
}

In this version, FILE_IGNORE_NEW_LINES removes the newline characters at the end of each array element, and FILE_SKIP_EMPTY_LINES excludes empty lines from the array.

When using file() with user-supplied data, such as file paths, it's important to validate and sanitize the input to prevent security vulnerabilities like Directory Traversal. Additionally, be aware of the file permissions and the server's configuration when reading files to avoid unauthorized access or disclosure of sensitive information.

An example of a vulnerable implementation:

// A simple script where the file path is taken from user input
$filePath = $_GET['filePath'];

// Using file() with user-controlled input
$lines = file($filePath);

if ($lines === false) {
    echo "Error reading the file";
} else {
    foreach ($lines as $line) {
        // Output each line of the file
        echo htmlspecialchars($line);
    }
}

Danger

In this example, the script takes a file path from a query parameter (filePath) and reads its contents. An attacker could exploit this by manipulating the query string to access sensitive files. For instance, using a URL like:

http://example.com/script.php?filePath=../../etc/passwd

This URL could potentially give the attacker access to the /etc/passwd file on a Unix-like system, which contains user account information.