I wonder if I have a code injection vulnerability below, in the fwrite ?
foreach($_POST as $key=>$val) {
fwrite($fh, "\nPOST variable named " . $key . " has the value " . $val);
}
Should I sanitize the values somehow prior to writing them in the log file ?
UPDATE. fh is a log file handler
There is no vulnerability as long as the logfile is treated by its consumers as plain text (which it should always be).
If you decide to output the unprocessed contents of the logfile as part of some HTML, then it would be a real vulnerability (probably of not very severe practical impact, but still). But the issue would be with the "other" code that displays text inside HTML without calling htmlspecialchars
, not with this code here that simply writes the log.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With