NYCPHP Meetup

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Konstantin Rozinov krozinov at gmail.com
Wed Apr 8 02:39:55 EDT 2009


> it's ok to receive garbage. Just don't send garbage. This leads me
> back to the OP's question of "do I need to validate user input that is
> written to a log file?". The answer is no but you do need to escape
> (or rather remove, truncate or flatten) anything that you don't want
> to end up being read by a program that reads log files like passwords
> and excessively long messages that might fill up the disk or prevent
> someone from viewing the log.
>
> Mike
>

Mike brings up a good point about truncating excessively long
user-inputted strings when logging them.

I'm currently using something like this:

if (strlen($msg) > ProjectConstants::LOG_MESSAGE_MAX_LENGTH)
{
   $msg = substr($msg, 0, ProjectConstants::LOG_MESSAGE_MAX_LENGTH);
   $msg .= '...';
}

Any suggestions or ideas?

thanks,
Konstantin



More information about the talk mailing list