← Back to glossary

Null Byte in File Paths (Legacy PHP)

Q: What is a common misconception about Null Byte in File Paths (Legacy PHP)?

Null byte injection is fixed in all modern PHP — it is fixed in PHP 5.3.4+ and throws in PHP 7, but legacy codebases on older PHP remain vulnerable.

Q: Why does Null Byte in File Paths (Legacy PHP) matter?

Null byte injection in file paths bypassed extension validation and enabled arbitrary file inclusion on millions of PHP 4/5 sites.

Q: How do I fix Null Byte in File Paths (Legacy PHP)?

Upgrade PHP to 7+. Sanitise with str_replace(chr(0), '', $input). Always use realpath() + path prefix check for file operations.

security PHP 3.0+ Advanced

TL;DR

Null bytes (%00) in file paths truncated strings at the C level in PHP < 5.3.4 — PHP 5.3.4+ throws a warning, PHP 7 throws ValueError for NUL in paths.

Explanation

In PHP < 5.3.4, a null byte in a string terminated C-level string functions. Attackers exploited this: include $_GET['file'] . '.php'; with file=../../../../etc/passwd%00 stripped the .php extension, including /etc/passwd. Fixed in PHP 5.3.4 — file functions now reject strings containing NUL. PHP 7 throws ValueError for NUL in filenames. Legacy codebases on older PHP: validate with strpos($input, chr(0)) !== false. Modern PHP (7+): not exploitable but still worth sanitising for defence in depth.

Common Misconception

✗ Null byte injection is fixed in all modern PHP — it is fixed in PHP 5.3.4+ and throws in PHP 7, but legacy codebases on older PHP remain vulnerable.

Why It Matters

Null byte injection in file paths bypassed extension validation and enabled arbitrary file inclusion on millions of PHP 4/5 sites.

Common Mistakes

Not upgrading from PHP 5.3.3 or earlier on legacy systems.
Not sanitising null bytes in input even on modern PHP (defence in depth).
Relying solely on extension append (.php) for security — null byte bypassed this.

Code Examples

✗ Vulnerable

// PHP < 5.3.4 — vulnerable:
$file = $_GET['file']; // 'shell.php%00'
include $file . '.php'; // Includes shell.php, ignores .php suffix

✓ Fixed

// Modern PHP (7+) throws automatically
// Defence in depth — sanitise anyway:
$file = str_replace(chr(0), '', $_GET['file'] ?? '');
$file = basename($file); // Remove path traversal
$path = realpath('/uploads/' . $file);
if ($path === false || !str_starts_with($path, '/uploads/')) {
    abort(400);
}

References

↗ https://bugs.php.net/bug.php?id=39863

Tags

Added 23 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 6 Perplexity 3 Google 3 Unknown AI 2 ChatGPT 1 Ahrefs 1

Also referenced

Double URL Encoding Bypass 31 Local File Inclusion (LFI) 30 Path Traversal 26 Stream Filter Injection via php:// wrapper 22

How they use it

crawler 12 crawler_json 1 pre-tracking 3

Related categories

security 4k

⚡ DEV INTEL Tools & Severity

🔴 Critical ⚙ Fix effort: Medium

⚡ Quick Fix

Upgrade PHP to 7+. Sanitise with str_replace(chr(0), '', $input). Always use realpath() + path prefix check for file operations.

📦 Applies To

PHP 3.0+ web

🔗 Prerequisites

Path Traversal Local File Inclusion (LFI)

🔍 Detection Hints

\$_GET.*\.php|include.*\$

Auto-detectable: ✓ Yes semgrep

⚠ Related Problems

Local File Inclusion (LFI) Path Traversal

🤖 AI Agent

Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: Function Tests: Update

CWE-158 CWE-22 CWE-626