B.3. file( )
The file( ) function is one of my favorite ways to read a file. It returns an enumerated array in which each element of the array is a separate line in the file. What makes it particularly convenient is that you don't have to give it a file handleyou provide the filename, and it takes care of everything else for you:
<?php $contents = file('/tmp/file.txt'); print_r($contents); ?>
Given a file with two lines, this will output something similar to the following:
Array (  => This is line one.  => This is line two. )
Using fopen( ) is not particularly risky, but when used in combination with the allow_url_fopen configuration directive enabled, it can read many different types of resources such as the content of a remote web site:
<?php $contents = file('http://example.org/'); print_r($contents); ?>
This outputs the following (output abridged):
Array (  => <html>  => <head>  => <title>Example Web Page</title>  => </head>  => <body> ...  => </body>  => </html> )
If tainted data is used to construct the filename to be read with file( ), the contents must be considered tainted. This is because the tainted data used to construct the filename might cause you to reference a remote resource that returns malicious data. Once you store this data in a variable, the danger increases drastically:
<?php $tainted = file($_POST['filename']); ?>
Every element in the $tainted array is just as dangerous as $_POST['filename']it is input and must be filtered.
Here, this behavior is likely unintentionalthe misuse of $_POST['filename'] can change the behavior of file( ), so that it references a remote resource instead of a local one.