[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
brianw1975 at gmail.com
Sun Apr 5 21:06:25 EDT 2009
$user_input = "`rm -Rf /`"
in case it wasn't - backticks are basically the short cut to get PHP to
execute something on the command line.
*always *check incoming user data.
On Sun, Apr 5, 2009 at 8:56 PM, Konstantin Rozinov <krozinov at gmail.com>wrote:
> Hey guys,
> I have a question about logging messages.
> Is it safe to log unsanitized, unvalidated user-inputted data into a
> For example, if I have a function called check_username(), which
> checks that the username only consists of A-Za-z0-9, is it safe to
> have check_username() write to a logfile that it was called on the
> particaular user-inputted string, like so:
> Function definition:
> function check_username($username, &$error)
> .. set $log_file...
> /* print out informational message. */
> error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);
> ..check the username for correctness..
> Function called like so:
> check_username('$_POST['username'], $error);
> Output to logfile:
> check_username(user1): called.
> Is it possible for an attacker to submit a specific string as the
> $username to somehow "escape" out of the error_log() function and have
> code executed instead (like calling phpinfo())?
> New York PHP User Group Community Talk Mailing List
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk