NYCPHP Meetup

NYPHP.org

[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?

Paul A Houle paul at devonianfarm.com
Sun Apr 5 21:42:28 EDT 2009


Konstantin Rozinov wrote:
> Hey guys,
>
> I have a question about logging messages.
>
> Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
>   
    It all depends on how paranoid you are.

    Strange text can be toxic to any of the software that processes your 
logfiles.  For instance,  there are some character sequences that can 
cause some terminal programs to capture some characters from the screen 
and send them back to the command line.  Any software that looks at your 
log files can potentially have buffer overflows that could be triggered 
by them.




More information about the talk mailing list