I've read about null bytes \0 and read about file_exists not being secure... Can someone tell If this code is safe: Or how do I fix it?
if (file_exists('controllers/' . $controller . '.php'))
This is the _action ("controller") variable, basically this is what $controller is validated with:
$_action = ( (isset($_GET['r']) && ctype_alnum($_GET['r'])) ? $_GET['r'] : $_default );
php > $a = "abc\0def";
php > echo strlen($a);
7
PHP's is based on libc, but is also a bit smarter than libc and knows how long its strings are, and doesn't suffer from injectable nulls. That being said, not all PHP extensions are the same and some may suffer from the problem, so the answer to your question is... "it depends".
As for file-exists, it's as safe as you want it to be. if you're using to generate a temporary file, something like:
$tmp_name = "some random value";
if (!file_exists($tmp_name)) {
file_put_contents($tmp_name, "something very critical");
}
is very unsafe. In the small fraction of a second between the time file_exists returns with a "nope, file doesn't exist", and whenever the file_put_contents starts executing, a malicious user COULD manipulate things so that your output goes somewhere completely different.
Yes, that's perfectly safe, since it cannot contain special chars like / or .