I'm wondering is there anything specific I should take into account when writing CMS logging (debug/alerts) into a plain text file? To specify more what I have in mind, think of logging into SQL database, and how stuff need to be escaped to be sure there won't be injection-attack thru log-mechanisms.
In my personal project, there's logging into MySQL database, but I've left out plenty of (perhaps) useful data to minimize possibilities for security-holes, as I'm not entirely convinced that mysqli_real_escape_string() is "do it all"-solution. It's flawed too, so there's need for rewrite anyways. If it wouldn't be my CMS, I would find it extremely hilarious to read a log notation that user had no connection to database (probably a spider-flood).