NYCPHP Meetup

NYPHP.org

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Michael B Allen ioplex at gmail.com
Mon Apr 6 02:40:51 EDT 2009 

On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <brianw1975 at gmail.com> wrote:
> and if the text isn't passed with double quotes?
> if his code had read:
>
> error_log(__FUNCTION__ . "($username): called.", 3, $log_file);
>
> I wouldn't have made any comment at all.
>
> If the backticked code were not in double quotes it would be executed and
> the resulting output of the backticked code would be recorded to the log.

Backticks must be interpreted as part of the script or using eval. So
because user input would be in the form of a string, the backticks
will not be interpreted.

>> Note that even though validating data when it is first received is not
>> critical to security, escaping output /is/ critical to security. So
>> it's ok to receive garbage. Just don't send garbage.
>
> are you joking?  how do you test for "garbage" without having tested the
> input?  how do you tell your php script what garbage is?  You can't, at best
> you can only program the script to test for what *isn't* garbage - i.e. a
> regex. and then proceed to allow the function to work safely.

No. I'm not joking. By "garbage" I mean anything so you don't need to
"test" it. You can safely put totally unvalidated "garbage" into a
database. It just needs to be escaped. Validating and escaping are two
completely different things.

> i admit, yes, you have to escape stuff before it gets recorded (which is
> obvious)... but you also have to make sure that by contatenating text to
> anything that the text does not actually *do* something if the text is
> referenced without double quotes.
>
> throw <?php echo "this is a test of `ls -al ./`" . `ls -al ./`;?> into a
> file and see what happens.

That's not what the OP's code does. The OP code does the equivalent of this:

<?php
$user_input = '`ls`';
echo "this is a test of `ls -al ./`" . $user_input;

User supplied data will be in the form of a string and therefore the
backticks will not be evaluated.

The OP code is totally harmless.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the talk mailing list