How safe are php's native functions to use with unfiltered input?

Question

Maybe I am being a bit paranoid, but as I am re-writing a contact module, the following question came to mind:

Can I use unfiltered input in php's native functions?

It is easy to sanitize stuff to put in a database, output to the screen, etc. but I was wondering if for example the following statement could be dangerous:

    if (file_exists($_POST['brochure'])) {
        // do some stuff
    }

If someone somehow managed to post to that page, could the above code be exploited?

The above code is just an example, I can think of other functions I use when processing a form.

Edit: Thanks everybody, the file_exists in the example is actually part of a sanitation function but when cleaning up, php functions are being used so it is rapidly becoming a chicken and egg story: To use functions, I have to clean up, but to clean up I have to use functions.

Anyway, I have got some fresh ideas now.

Answer 1

Yep. All I'd have to do is post "/etc/passwd", or "includes/dbconnection.php" (or anything) to your page, and depending on what //do some stuff actually is, I could possibly delete, modify or read sensitive information. The file_exists function itself won't do anything you wouldn't expect, but you can expect malicious users exploiting your logic.

Always sanitise your user input. Always. If you're expecting to only grab files from one particular folder, don't allow .. or / in the input

Answer 2

By itself, that looks reasonably safe, but it could be used to reveal information. It could allow an attack to check for the presence (or absence) of particular files (e.g. /etc/passwd, /proc/*, etc).

So in this example, you should ensure that $_POST['brochure'] is sanitised first to only accept inputs that match potentially valid file names. Drop any input that contains .., or that starts with a /.

Other functions could have potentially much worse side effects...