Null Byte in Path

Fatal error: Uncaught ValueError: Path must not contain any null bytes

Quick Answer

A file path contains a null byte character, likely from unsanitized user input. Validate and sanitize all user input used in file paths.

Why This Happens

PHP 8.0+ throws a ValueError when file functions receive paths containing null bytes. This is a security improvement, as null bytes in paths were historically used for path truncation attacks. The null byte usually comes from unsanitized user input being used directly in file operations.

The Problem

$filename = $_GET['file']; // Could contain null byte
$content = file_get_contents('/uploads/' . $filename);

The Fix

$filename = $_GET['file'] ?? '';
$filename = basename($filename); // Remove path traversal
if (str_contains($filename, "\0") || $filename === '') {
    throw new InvalidArgumentException('Invalid filename');
}
$path = '/uploads/' . $filename;
if (!file_exists($path)) {
    throw new RuntimeException('File not found');
}
$content = file_get_contents($path);

Step-by-Step Fix

1
Identify the tainted input
Find where user input enters the file path. Check $_GET, $_POST, and any other external data sources.
2
Sanitize the input
Use basename() to strip directory components, and filter out null bytes and other dangerous characters.
3
Validate the final path
Use realpath() to resolve the path and verify it is within the expected directory to prevent path traversal attacks.

Bugsly catches this automatically

Bugsly's AI analyzes this error pattern in real-time, explains what went wrong in plain English, and suggests the exact fix — before your users even report it.

Try Bugsly free

Related Errors

Permission Denied on File Operation

Warning: file_put_contents(/var/log/app.log): Failed to open stream: Permission denied

Failed to Open Stream: No Such File or Directory

Warning: fopen(data/output.csv): Failed to open stream: No such file or directory