[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Justin Hileman justin at
Mon Apr 6 03:47:55 EDT 2009

Brian Williams wrote:
> On Sun, Apr 5, 2009 at 11:17 PM, Michael B Allen <ioplex at
> <mailto:ioplex at>> wrote:
>     On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <brianw1975 at
>     <mailto:brianw1975 at>> wrote:
>      > phpinfo() pish...
>      >
>      >
>      > $user_input = "`rm -Rf /`"
>      >
>      > nuff said.
>      >
>      > in case it wasn't - backticks are basically the short cut to get
>     PHP to
>      > execute something on the command line.
>     I don't understand how this has any impact on the OP's code. The
>     backticks would simply be written to the log file. If you are careless
>     enough to try to execute a log file as a shell script then you might
>     as well erase your disk.
> and if the text isn't passed with double quotes?

The text isn't ever passed with double quotes. It's passed as a string. 
Double quotes are just a mechanism used *inside a PHP file* to clump a 
bunch of characters into a string. The real contents of the variable is 
what's between the double quotes. That's why the following are all 

$bar = 'test';

$foo = "test";

$baz = <<<EOT

$qux = <<<'EOT'

Since user input comes from GET, POST or FILES, it will *always* be a 
string. For example, if a user visits the following url:

the user input $_GET['foo'] is strictly equal to all four of those 
strings above:

assert($_GET['foo'] === 'test');

assert($_GET['foo'] === <<<EOT


The contents of that GET variable (or a POST variable, or the contents 
of a file) is a string. A string will never hurt you unless you evaluate 
it as code--either through a call to eval(), or a DB query (yep, that's 
evaluating a string), or some other way.

For everything outside of those uses, worrying about sanitizing things 
inside a string is about as useful as worrying about PHP function names 
and keywords inside a string. Can you imagine how much of a pain it 
would be to escape every instance of 'die' or 'exit' or 'print' from PHP 


More information about the talk mailing list