“
If user-controllable data is passed to these APIs, an attacker may be able to exploit these to access arbitrary files on the server filesystem. fopen readfile file fpassthru gzopen gzfile gzpassthru readgzfile copy rename rmdir mkdir unlink file_get_contents file_put_contents parse_ini_file
”
”
Dafydd Stuttard (The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws)