Php Sensitive Information Stored In Log
Description
Detects when sensitive user-supplied data (such as passwords, tokens, or personal identifiers) flows into PHP's error_log() function without sanitization. Logging sensitive information exposes it in log files, which may be accessible to unauthorized parties or included in log aggregation systems.
Detection Strategy
• Identifies calls to PHP's error_log() function
• Checks that the second argument (message type) is 0 or absent, meaning output goes to the PHP error log
• Inspects the first argument for symbols or element accesses that carry a dangerous smell (e.g., password, token, secret)
• Traces those symbols back to their definition to verify they originate from user-controlled HTTP input
• Reports a vulnerability when sensitive user input reaches error_log() unsanitized
Vulnerable code example
<?php
// Sensitive credential logged directly via error_log
$password = $_POST['password'];
error_log("Login attempt with password: " . $password); // Vulnerable: password written to error log
// Token from query string also logged
$token = $_GET['api_token'];
error_log($token); // Vulnerable: sensitive token exposed in log...✅ Secure code example
<?php
// Log only a non-sensitive indicator, never the credential itself
$username = $_POST['username'];
error_log("Login attempt for user: " . htmlspecialchars($username, ENT_QUOTES, 'UTF-8'));
// Avoid logging tokens; log only a redacted reference
$token = $_GET['api_token'];
$redacted = substr($token, 0, 4) . str_repeat('*', max(0, strlen($token) - 4));...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.