NYCPHP Meetup

[Konstantin Rozinov]

Hey guys,

I have a question about logging messages.

Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

For example, if I have a function called check_username(), which
checks that the username only consists of A-Za-z0-9, is it safe to
have check_username() write to a logfile that it was called on the
particaular user-inputted string, like so:

Function definition:
function check_username($username, &$error)
{
  .. set $log_file...

  /* print out informational message. */
  error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);

  ..check the username for correctness..
}

Function called like so:
check_username('$_POST['username'], $error);

Output to logfile:
check_username(user1): called.


Is it possible for an attacker to submit  a specific string as the
$username to somehow "escape" out of the error_log() function and have
code executed instead (like calling phpinfo())?



thanks,
Konstantin