php > $a = "abc\0def";
php > echo strlen($a);
7
PHP's is based on libc, but is also a bit smarter than libc and knows how long its strings are, and doesn't suffer from injectable nulls. That being said, not all PHP extensions are the same and some may suffer from the problem, so the answer to your question is... "it depends".
As for file-exists, it's as safe as you want it to be. if you're using to generate a temporary file, something like:
$tmp_name = "some random value";
if (!file_exists($tmp_name)) {
file_put_contents($tmp_name, "something very critical");
}
is very unsafe. In the small fraction of a second between the time file_exists returns with a "nope, file doesn't exist", and whenever the file_put_contents starts executing, a malicious user COULD manipulate things so that your output goes somewhere completely different.