0

I have POST input that I am performing some mysql queries with.

I am sanitizing that POST thoroughly before using it with my database queries...no problem there.

Now I think I want to start logging in a text file exactly what my users are putting in that input field ... just to get a better feel for what users are looking for. I am just writing to a txt file...got that covered..no issues

My question is... can I safely use the raw(pre-sanitized) POST data as my string that I am writing to that text file? I would also like to see if there is any funny business being posted there to test my site defenses... injection attempts, etc etc etc. I assume this is fine as I am just writing to a text file ... or am I completely wrong and this is a bad practice?

This won't be an indefinite data gathering on my input field, just for a bit to see what customers are looking for.

lxg
  • 11,188
  • 11
  • 43
  • 67
Fred Turner
  • 139
  • 1
  • 9
  • 1
    The question is: How are you reading that txt file? If it is not undergoing any parsing/etc., it should be save to store raw inputs there – kero Oct 10 '14 at 18:32
  • 1
    You would probably want to addslashes to fix issues with newlines. If each line of your log was it's own entry, a newline submitted would break that. Or just serialize the $_POST array. – Jonathan Kuhn Oct 10 '14 at 18:33
  • I am just using fopen to write/append to the txt. When we actually look at it, we will just be looking at the actual txt in a browser....no opening/reading it with php – Fred Turner Oct 10 '14 at 18:35
  • 2
    sanitization depends on HOW you're using the data. writing to a text file is utterly harmless - there's no way anything embedded in the text could "break out" of the write operation and somehow cause your system to change how it operates. What WILL matter is how you use that after you READ it back in again. – Marc B Oct 10 '14 at 18:37
  • 1
    If you intend to view it in a browser, you must escape it on ouput for certain (`htmlspecialchars()`), but it isn't necessary to escape it before saving – Michael Berkowski Oct 10 '14 at 18:37
  • maybe I will throw in the htmlspecialchars before writing just to be on the safe side...for when we look at it. It is mainly just to see where we need to focus for product development, and also would add to our security if we see certain code in there. – Fred Turner Oct 10 '14 at 18:50
  • "just to be on the safe side" --- it's not safe in any way, it's a "pointless side" actually – zerkms Oct 10 '14 at 21:56
  • possible duplicate of [Can input written to a file be maliciously tampered?](http://stackoverflow.com/questions/14555392/can-input-written-to-a-file-be-maliciously-tampered) – SilverlightFox Oct 13 '14 at 09:49
  • Yes :-) Just a little advise, save that file outside the webroot, so nobody can read it via web. – drmad Oct 10 '14 at 22:04
  • btw I mean 'Yes' to your question "can I safely use the raw(pre-sanitized) POST data as my string that I am writing to that text file? " :-P the title has the inverse question :-D – drmad Oct 10 '14 at 23:26

0 Answers0