file_exists() expects parameter 1 to be a valid path, string given

Question

I'm designing a web application that can be customized based on which retail location the end user is coming from. For example, if a user is coming from a store called Farmer's Market, there may be customized content or extra links available to that user, specific to that particular store. file_exists() is used to determine if there are any customized portions of the page that need to be imported.

Up until now, we've been using a relatively insecure method, in which the item ID# and the store are simply passed in as GET parameters, and the system knows to apply them to each of the links within the page. However, we're switching to a reversible hash method, in which the store and item number are encrypted (to look something like "gd651hd8h41dg0h81"), and the pages simply decode them and assign the store and ID variables.

Since then, however, we've been running into an error that Googling extensively hasn't found me an answer for. There are several similar blocks of code, but they all look something like this:

$buttons_first = "../stores/" . $store . "/buttons_first.php";

if(file_exists($buttons_first))
{
    include($buttons_first);
}

(The /stores/ directory is actually in the directory above the working one, hence the ../)

Fairly straightforward. But despite working fine when a regular ID and store is passed in, using the encrypted ID throws this error for each one of those similar statements:

Warning: file_exists() expects parameter 1 to be a valid path, string given in [url removed] on line 11

I've had the script spit back the full URL, and it appears to be assigning $store correctly. I'm running PHP 5.4.11 on 1&1 hosting (because I know they have some abnormalities in the way their servers work), if that helps any.

Answer 1

I got the same error before but I don't know if this solution of mine works on your problem you need to remove the "\0" try replace it:

$cleaned = strval(str_replace("\0", "", $buttons_first));

it worked on my case.

Answer 2

Run a var_dump(strpos($buttons_first,"\0")), this warning could come up when a path has a null byte, for security reasons. If that doesn't work, check the length of the string and make sure it is what you'd expect, just in case there are other invisible bytes.

Answer 3

It may be a problem with the path as it depends where you are running the script from. It's safer to use absolute paths. To get the path to the directory in which the current script is executing, you can use dirname(__FILE__).