Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I wonder if I have a code injection vulnerability below, in the fwrite ?
foreach($_POST as $key=>$val) {
fwrite($fh, "\nPOST variable named " . $key . " has the value " . $val);
}
Should I sanitize the values somehow prior to writing them in the log file ?
UPDATE. fh is a log file handler
There is no vulnerability as long as the logfile is treated by its consumers as plain text (which it should always be).
If you decide to output the unprocessed contents of the logfile as part of some HTML, then it would be a real vulnerability (probably of not very severe practical impact, but still). But the issue would be with the “other” code that displays text inside HTML without calling
htmlspecialchars, not with this code here that simply writes the log.