Hey guys,
I have a question about logging messages.
Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
For example, if I have a function called check_username(), which
checks that the username only consists of A-Za-z0-9, is it safe to
have check_username() write to a logfile that it was called on the
particaular user-inputted string, like so:
Function definition:
function check_username($username, &$error)
{
.. set $log_file...
/* print out informational message. */
error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);
..check the username for correctness..
}
Function called like so:
check_username('$_POST['username'], $error);
Output to logfile:
check_username(user1): called.
Is it possible for an attacker to submit a specific string as the
$username to somehow "escape" out of the error_log() function and have
code executed instead (like calling phpinfo())?
thanks,
Konstantin
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
