Just wondering if .txt files could 'become harmful' if I didn't escape user input.
My website has a 'logger' that is updated each time a user posts a message and I was thinking that I could just do something like this without sanitizing or escaping the input. What do you think?
if (/*user posts something*/) {
file_put_contents('logger.txt', $_POST['message'], FILE_APPEND);
}
Joe Clark
Full-stack developer specializing in healthcare IT
Depends on how you intend to use logger.txt. Imagine if, down the road, you decide to display the contents of logger.txt in a web browser window, and someone put in some malicious javascript stuff. At first, it's totally inert, just sitting there in the file, but later on, it could cause issues that you don't foresee now. Or, if you decide to suck the contents into a database, and someone puts in SQL code that essentially is the same as SQL injection. Totally inert while it's in the file, but used otherwise, could be damaging. Just depends on how you intend to use it. Personally, I would sanitize it, but that's just me.