It depends on what you are trying to protect against.
file_exists does not write to disk, which means that the worst thing that can happen is that someone gets some information about your file system or about the existence of files that you have. In practice, however, if you do something later with the same file that you previously verified with file_exists , such as include ing, you can perform more stringent checks.
I assume that you can pass arbitrary values, possibly derived from user input, into this function.
If so, it depends on why you really need to use file_exists in the first place. In general, for any file system function with which the user can pass values ββdirectly, I would try to filter the string as much as possible. It is really just pedantic and safe, and in practice it may be unnecessary.
So, for example, if you only need to check for the presence of a file in one directory, you should probably strip all of the directory separators.
From personal experience, I only ever passed user input to a file_exists call to map to a controller file, in which case I would just delete any character of a non-character letter + underscore.
UPDATE: reading recently added comments, there are no special characters, since this is not done in the shell. Even \0 should be fine, at least on newer versions of PHP (I believe that the older ones will cut the line before \0 when sent to calls to the underlying file system).
zinga source share