Can input written to a file be maliciously tampered?

Question

Uber simple example to illustrate the point:

$message = $_POST[\'message\'];

$fp = fopen(\"log.txt\", \"a\");
fwrite($fp, $message);

fclose($fp);
         


        

Answer 1

Regarding PHP's fwrite() function, there's no need to sanitize: fwrite() just writes that to a file that it gets passed along.

Regarding the log-file, you might wish to sanitize. Here is why:

Suppose an attacker post a multiple line value as message. If your log was before the post

line 1
line 2

then it is after the post

line 1 
line 2
line 3
remainder of line 3
very remainder of line 3

because attacker posted this:

line 3\nremainder of line 3\nvery remainder of line 3

Note: One time posted vs. 3 lines added.

That said: How posted data needs to be sanitized, fully depends on your application.