Error Logging & Security

This is the first time that I’ve tried accessing files on a disk from php and I’m worried that I might be introducing a security hole.

$handle = fopen("C:\\path\	o\\logfile\\database_errors.log",'a');
error_log($error_message,3,"C:\\path\	o\\logfile\\database_errors.log");
fclose($handle);

The idea is that any database errors for an app are logged to that app’s own log file. The opening and closing of the file would possibly be handled eventually by another class.

What kind of security holes come to mind?

Possible injection of PHP code? JS? SQL?

If you have created a class to handle your errors for you then anything within the log file should be ok to pass into another log file because well, you created it.

You can take an extra step by using a function like sprintf() or something like that to treat everything as a string.

Just make sure the database_errors.log file is in an unreadable location…