[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
krozinov at gmail.com
Sun Apr 5 20:56:22 EDT 2009
I have a question about logging messages.
Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
For example, if I have a function called check_username(), which
checks that the username only consists of A-Za-z0-9, is it safe to
have check_username() write to a logfile that it was called on the
particaular user-inputted string, like so:
function check_username($username, &$error)
.. set $log_file...
/* print out informational message. */
error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);
..check the username for correctness..
Function called like so:
Output to logfile:
Is it possible for an attacker to submit a specific string as the
$username to somehow "escape" out of the error_log() function and have
code executed instead (like calling phpinfo())?
More information about the talk