Both pieces of code output a file named png i.e. not extension just png.
Which would indicate that
$tcgname[$i] is empty (or is not set). Do you have error reporting enabled? You can inspect the contents of
$file = trim($_GET['path']); // . . . readfile($file); unlink($file);
You need to validate the contents of
$_GET['path'] (e.g., by checking that it names a file in a particular “allowed” directory). Using this script, one may read —and then delete— any file on your computer that is readable by PHP, simply by knowing, or guessing, its name.