I have user inputted HTML content stored on files without extension, on system-named folders and not user named files.
> file_put_contents($DBStoredFolder.'/'.$DBStoredFilename, $UserInputHtml);
How safe is to retrieve the content and print it?
> $content = file_get_contents($DBStoredFolder.'/'.$DBStoredFilename);
> echo '<html><body>'.$content.'</body></html>';
Can a file without extension only accessed via file_get_contents on a fixed path and then echoed, run PHP code?
I know that the returning html needs to be secured when it runs on the browser but that is other thing.
There's no way to answer that question generally.
If you're completely in control of the filename (i.e., there's no possibility of user input interfering with the filename), then it's safe to open the file at that path.
If you're completely in control of the contents of the file (i.e., it couldn't possibly be a user-uploaded or user-edited file) then it's safe to display it.
If you're completely in control of the formatting in the file and can be sure that it's already HTML, then there's no need to escape or sanitize the contents before displaying.
Almost always, though, one or more of those assumptions isn't really valid. How you cope with the uncertainty depends entirely on the specifics of the situation. In general, sanitize the filename, sanitize the file contents, sanitize the display, sanitize everything.
Personally, I'd rather be overly cautious with a filename I do control than risk introducing user input without realizing it.