NYCPHP Meetup

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Justin Hileman justin at justinhileman.info
Mon Apr 6 03:47:55 EDT 2009


Brian Williams wrote:
>
>
> On Sun, Apr 5, 2009 at 11:17 PM, Michael B Allen <ioplex at gmail.com
> <mailto:ioplex at gmail.com>> wrote:
>
>     On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <brianw1975 at gmail.com
>     <mailto:brianw1975 at gmail.com>> wrote:
>      > phpinfo() pish...
>      >
>      >
>      > $user_input = "`rm -Rf /`"
>      >
>      > nuff said.
>      >
>      > in case it wasn't - backticks are basically the short cut to get
>     PHP to
>      > execute something on the command line.
>
>     I don't understand how this has any impact on the OP's code. The
>     backticks would simply be written to the log file. If you are careless
>     enough to try to execute a log file as a shell script then you might
>     as well erase your disk.
>
>
> and if the text isn't passed with double quotes?
>

The text isn't ever passed with double quotes. It's passed as a string. 
Double quotes are just a mechanism used *inside a PHP file* to clump a 
bunch of characters into a string. The real contents of the variable is 
what's between the double quotes. That's why the following are all 
equivalent:

$bar = 'test';

$foo = "test";

$baz = <<<EOT
test
EOT;

$qux = <<<'EOT'
test
EOT;


Since user input comes from GET, POST or FILES, it will *always* be a 
string. For example, if a user visits the following url:

http://example.com/index.php?foo=test

the user input $_GET['foo'] is strictly equal to all four of those 
strings above:

assert($_GET['foo'] === 'test');

assert($_GET['foo'] === <<<EOT
test
EOT
);

etc.


The contents of that GET variable (or a POST variable, or the contents 
of a file) is a string. A string will never hurt you unless you evaluate 
it as code--either through a call to eval(), or a DB query (yep, that's 
evaluating a string), or some other way.

For everything outside of those uses, worrying about sanitizing things 
inside a string is about as useful as worrying about PHP function names 
and keywords inside a string. Can you imagine how much of a pain it 
would be to escape every instance of 'die' or 'exit' or 'print' from PHP 
strings?

-- 
justin
http://justinhileman.com




More information about the talk mailing list