Can input written to a file be maliciously tampered?

Question

Uber simple example to illustrate the point:

$message = $_POST[\'message\'];

$fp = fopen(\"log.txt\", \"a\");
fwrite($fp, $message);

fclose($fp);
         


        

Answer 1

I would sanitize it. When it comes to logs, just make sure you put it into reserved space - for instance, if the log is one record per line, strip the new lines and other stuff from user's input so he cannot fool you.

Take a look at Attack Named Log Injection

Also be very careful when it comes to displaying the log file. Make sure no output can harm your reader.