CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Log Injection

security CWE-117 OWASP A9:2021 CVSS 5.3 PHP 5.0+ Intermediate

Also Known As

log forging log poisoning input log tampering

TL;DR

Writing unsanitised user input into log files allows attackers to forge log entries or inject control characters.

Explanation

Log injection lets an attacker craft input containing newlines to insert fake log entries — hiding their activity or framing innocent users. It can also be used to inject terminal escape sequences that exploit log-viewing tools. Sensitive data (passwords, tokens, credit card numbers) should never appear in logs at all. Safe logging strips newlines, limits length, strips HTML tags, and redacts sensitive field names.

Common Misconception

Log injection is only a cosmetic issue affecting log readability. Injecting newlines lets attackers forge log entries, hide their activity, and — when logs are included via LFI — escalate to remote code execution.

Why It Matters

Attacker-controlled log entries can hide malicious activity, fake legitimate events, or inject executable code if logs are later parsed by a vulnerable tool.

Common Mistakes

  • Logging raw $_SERVER['HTTP_USER_AGENT'] or referer strings that contain newlines and control characters.
  • Not stripping or escaping newline characters from all values before writing to log files.
  • Using log injection to create fake entries in security logs to obscure a breach.
  • Including user-supplied email addresses or usernames in log output without sanitisation.

Code Examples

✗ Vulnerable 
// User input written directly to log — attacker forges log entries
\$user = \$_GET['username'];
error_log("Login attempt for user: \$user");
// ?username=admin%0aINFO: Login successful for admin
✓ Fixed 
// Sanitise newlines before logging user-supplied values
\$user = str_replace(["\r","\n","\t"], ' ', \$_GET['username'] ?? '');

// Better: structured logging — each field is JSON-encoded
\$logger->info('Login attempt', [
    'username' => \$user,   // newlines harmless inside JSON string
    'ip'       => \$request->ip(),
]);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 24

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 1 ping S 3 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Ahrefs 5 Perplexity 2 SEMrush 2 Google 1
Also referenced
Sensitive Data Exposure 31
How they use it
crawler 16
Related categories
security 4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Strip newlines from any user data before logging; use structured logging (Monolog with JSON handler) so fields are always separate
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
error_log($_GET[ or $logger->info($_POST[ with raw user input containing newlines
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
CWE-117
✓ schema.org compliant