NYCPHP Meetup

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Justin Hileman justin at justinhileman.info
Wed Apr 8 18:09:17 EDT 2009


Konstantin Rozinov wrote:
>> it's ok to receive garbage. Just don't send garbage. This leads me
>> back to the OP's question of "do I need to validate user input that is
>> written to a log file?". The answer is no but you do need to escape
>> (or rather remove, truncate or flatten) anything that you don't want
>> to end up being read by a program that reads log files like passwords
>> and excessively long messages that might fill up the disk or prevent
>> someone from viewing the log.
>>
>> Mike
>>
>
> Mike brings up a good point about truncating excessively long
> user-inputted strings when logging them.
>
> I'm currently using something like this:
>
> if (strlen($msg)>  ProjectConstants::LOG_MESSAGE_MAX_LENGTH)
> {
>     $msg = substr($msg, 0, ProjectConstants::LOG_MESSAGE_MAX_LENGTH);
>     $msg .= '...';
> }
>
> Any suggestions or ideas?
>

I generally use this method for truncating strings (breaks on word 
boundaries): http://tr.im/itax

-- 
justin
http://justinhileman.com



More information about the talk mailing list