Audit required: Insecure use of logger PHP-A1011

Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.

Bad practice

error_log($_POST);

Recommended

error_log('Message: ' . $_POST['message']);

References

• OWASP Top 10:2021 > A09 - Security Logging and Monitoring Failures
• OWASP Top 10:2017 > A10 - Insufficient Logging & Monitoring
• CWE-117: Improper Output Neutralization for Logs
• CWE-532: Insertion of Sensitive Information into Log File