It looks like you aren't entering in a filename, if that's the case then $file gets its value directly from the script ($file = 'xcanalys.txt';) which is why it isn't tainted.