phpinfo() pish...
$user_input = "`rm -Rf /`" nuff said. in case it wasn't - backticks are basically the short cut to get PHP to execute something on the command line. *always *check incoming user data. On Sun, Apr 5, 2009 at 8:56 PM, Konstantin Rozinov <[email protected]>wrote: > Hey guys, > > I have a question about logging messages. > > Is it safe to log unsanitized, unvalidated user-inputted data into a > logfile? > > For example, if I have a function called check_username(), which > checks that the username only consists of A-Za-z0-9, is it safe to > have check_username() write to a logfile that it was called on the > particaular user-inputted string, like so: > > Function definition: > function check_username($username, &$error) > { > .. set $log_file... > > /* print out informational message. */ > error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file); > > ..check the username for correctness.. > } > > Function called like so: > check_username('$_POST['username'], $error); > > Output to logfile: > check_username(user1): called. > > > Is it possible for an attacker to submit a specific string as the > $username to somehow "escape" out of the error_log() function and have > code executed instead (like calling phpinfo())? > > > > thanks, > Konstantin > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show_participation.php >
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
