Can malicious file entry be written to a file?

Question

Can malicious file entry be written to a file?

A simple Uber example to illustrate the point:

$message = $_POST['message'];

$fp = fopen("log.txt", "a");
fwrite($fp, $message);

fclose($fp);

Should I misinform user input for a variable $_POST['message']?

I understand the prepared statements (for disinfecting the database) and htmlentities(if I displayed the message POSTat some time), but in this case the input is just in the log file, which will be read in a small PHP script ( via fopen())

The answer depends on how it will be read? For example, if I open the log file through fopen (), it should be htmlentities, and if I plan to download the log file and read it using Excel (for filtering purposes), can you do anything?

+5

security file php validation

Chris Jan 28 '13 at 4:23

source share

6

, , . "Sanitizing" , . , .

/ PHP, fopen(). , . :

-, , , .
-, , (, IMG-).
Excel , . -, , Excel . ( , Excel .)

+3

giskard22 28 . '13 18:12

.

- , . , , , , .

. , message 100 , , , script, POST, , POST , 100 .

- " ", , , , - " - " . .

, , ( , script). , , message , . , , , , , , . , , , , , -, , . , http://www.example.com/log.txt, , , XSS, HTML. Internet Explorer MIME, text/plain (. ). , , , .

: script, log.txt. . , , raw message. , , . script -, , . , :

: - --- POST --- > get_message.php --- > , message --- fwrite() → log.txt
: log.txt --- fopen() --- > process.php --- > --- > - ? .

, , ( , message .)

+1

SilverlightFox 27 . '13 14:12

. , , - , - , , .

. , .

0

Zaffy 27 . '13 16:22

- , , , . ( ) .htaccess.
. . , . , , . : , / "" .
() , :
$logtext = sanitizeLog ($ _ POST [Message]); $ fd = fopen ( "/path/to/log.txt", "a" ); if (flock ($ fd, LOCK_EX)) { fseek ($ fd, 0, SEEK_END); fwrite ($ fd, $logtext); flock ($ fd, LOCK_UN); } fclose ($ FD);

fopen()...

0

Thomas L. 30 . '13 11:49

PHP fwrite(), : fwrite() , .

, . :

Suppose an attacker sent a message with multiple lines as a message. If your magazine was before publication

line 1
line 2

then after the message

line 1 
line 2
line 3
remainder of line 3
very remainder of line 3

because the attacker sent this message:

line 3\nremainder of line 3\nvery remainder of line 3

Note. Added once compared to 3 lines.

The aforesaid: How the sent data needs to be sanitized depends entirely on your application.

0

Steap Aug 31 '13 at 1:36

source share

Marc B · Accepted Answer · 2013-08-27T14:29:14+0000

. "" , .

"" - . , , , . , $_POST SQL-, HTML - XSS. , , MIME, , . , - Kiddy , " " , .

, ( ), . , PHP . , , , , script. - . , ( , , "log.txt", - ).

... ? -

include('log.txt');

- "" , . , , - <?php exec('rm -rf /') ?> .

- , PHP magic_quotes. PHP (WRONGLY STUPIDLY) , , , SQL SQL , . , , escape-. , , MySQL, , , , SQL Server? PHP Miles O\'Brien Miles O''Brien, UNDO , PHP .

TL; DR: , / . , .

Can malicious file entry be written to a file?

More articles: