Geek Answers Handbook

Is writing to the database safer than file logging for my PHP web application?

I would like to log errors / informational and warning messages from my web application to the log. At first I thought about registering all these files in a text file.

However, my PHP web application will need write access to the log files, and the folder where this log file is located may also need write access if you want to copy a log file that is not in my web application. An alternative is that I am logging messages in a MySQL database, as my web application already uses the MySQL database for all of its data warehouse needs.

However, it seemed to me that the transition with the MySQL option is much better than the file parameter, since I already have a configuration file with database access information protected using file system permissions. If I go now with the log file option, I need to change the permissions of the files and folders, and this will make my application less secure and defeat the whole purpose of registration.

Updated: Another advantage that I see with the db option is that there is no need to re-open the db connection for each of my webpage using persistent db connections, which is not possible when registering files. In the case of registering files, I will need to open, write to the log file and close the file for each page.

It is right? I am using XAMPP for development and new to LAMP. Please let me know your registration guidelines. Thanks.

Update: I am more inclined to log using log4php to a text file in a separate folder on my web server and provide write access for my Apache account to this folder.

+6
security php mysql logging xampp
source share
5 answers

What to do if your database is not available, where will you register it?

Log files are usually written to text files. One of the good reasons is that after properly configured, this method almost never fails (although you can always run into disk space or permissions may change for you ...).

There are many good registration frameworks that provide easy and powerful logging. I'm not very good at what is available specifically for PHP (maybe someone can comment), but log4j is very often used in the Java world.

+1
source share

Writing to a file can be a security risk. For example, consider LFI Exploit . If an attacker can affect your log files and add php code, for example <?php eval($_GET[e]);?> , Then he can execute this php code using the LFI attack. Here is an example:

Vulnerable Code:

include("/var/www/includes/".$_GET['file']);

What if you accessed this page as follows:

http://localhost/lfi_vuln.php?file=../logs/file.log&e=phpinfo();

In general, I will keep this error information in the database whenever possible. However, to remove this attack you will need <> , which htmlspecialchars() will solve. Even if you protect yourself from LFI attacks, you should have a โ€œdefense in depthโ€ approach, perhaps the code that you did not write is vulnerable, for example, the library that you use.

(PS XAMPP is really bad in terms of security, there is no automatic update, and project developers release patches very slowly for very serious vulnerabilities.)

+2
source share

In addition to providing the correct permissions, it is recommended that you store your log files outside the root site, i.e. if your web root is /accounts/iama/public_html , save the logs to /accounts/iama/logs

0
source share

Log files, in my experience, are always best stored in text format. Thus, they are always read in any situation (for example, via SSH or on the local terminal) and are always writable.

The second problem is security - read the file permissions on the Linux system and give the directory minimal permissions for PHP to write to it, and anyone who needs read access gets it. You can even have file system level encryption.

If you need to do your best, you could clean the log files daily with an encrypted copy sent to another location via SSL, but I feel this might be redundant;)

If you mind, I ask what makes these log files so security-critical?

0
source share

You seem to be asking a couple of different questions:

Which is safer? :

Writing to the database is no more secure than writing to a file and vice versa.

You must start the PHP server / web server using a user who does not have the right to do anything other than start the server and write to its log files, so adding an entry to the log file in the application should not compromise security in any way. See http: //www.linux.com/archive/feature/113744 for more information.

What's better? :

There is no single correct answer, it depends on what you want to do with your magazines.

What do you want to do with the log files? Do you want to transfer them to another application? If so, then placing them in the database can be a way. Do you want to archive them? Well, it would be better to drop them into a file.

Notes

If you use a logging infrastructure such as Log4PHP, http://logging.apache.org/log4php/index.html , you can easily enter the database and the log file (this is probably not what you should do, but there may be a case), or you can switch between the two storage systems without much hassle.

Edit: This section may be a duplicate. Register the file through PHP or enter the MySQL database - which is faster?

0
source share

More articles:


All Articles