[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
Justin Hileman
justin at justinhileman.info
Mon Apr 6 03:47:55 EDT 2009
Brian Williams wrote:
>
>
> On Sun, Apr 5, 2009 at 11:17 PM, Michael B Allen <ioplex at gmail.com
> <mailto:ioplex at gmail.com>> wrote:
>
> On Sun, Apr 5, 2009 at 9:06 PM, Brian Williams <brianw1975 at gmail.com
> <mailto:brianw1975 at gmail.com>> wrote:
> > phpinfo() pish...
> >
> >
> > $user_input = "`rm -Rf /`"
> >
> > nuff said.
> >
> > in case it wasn't - backticks are basically the short cut to get
> PHP to
> > execute something on the command line.
>
> I don't understand how this has any impact on the OP's code. The
> backticks would simply be written to the log file. If you are careless
> enough to try to execute a log file as a shell script then you might
> as well erase your disk.
>
>
> and if the text isn't passed with double quotes?
>
The text isn't ever passed with double quotes. It's passed as a string.
Double quotes are just a mechanism used *inside a PHP file* to clump a
bunch of characters into a string. The real contents of the variable is
what's between the double quotes. That's why the following are all
equivalent:
$bar = 'test';
$foo = "test";
$baz = <<<EOT
test
EOT;
$qux = <<<'EOT'
test
EOT;
Since user input comes from GET, POST or FILES, it will *always* be a
string. For example, if a user visits the following url:
http://example.com/index.php?foo=test
the user input $_GET['foo'] is strictly equal to all four of those
strings above:
assert($_GET['foo'] === 'test');
assert($_GET['foo'] === <<<EOT
test
EOT
);
etc.
The contents of that GET variable (or a POST variable, or the contents
of a file) is a string. A string will never hurt you unless you evaluate
it as code--either through a call to eval(), or a DB query (yep, that's
evaluating a string), or some other way.
For everything outside of those uses, worrying about sanitizing things
inside a string is about as useful as worrying about PHP function names
and keywords inside a string. Can you imagine how much of a pain it
would be to escape every instance of 'die' or 'exit' or 'print' from PHP
strings?
--
justin
http://justinhileman.com
More information about the talk
mailing list