php file injection

[r0man () phreaker net]

 Hi,

 Fast silly question: let's suppose a .php where you have:
- a variable $template, which could be set up by an attacker
-the script creates a new variable adding a file-extension:
 $file = $ template + ".txt"
- finally it does a open($file).

 Well, it is quite evident that an attacker could easily read any .txt
file on the system. But, would it be possible for an attacker to read
*any* file (with *any* extension)? (for instance, /etc/passwd).

 In perl there are some tricks like %00 that could help us to get rid
of the file extension, but I don't know of any similar trick in .php.

 Regards,
 --Roman