So you claim that without taint mode it is not possible to write safe PHP code?
Actually, I said exactly the opposite - if you write secure code, you do not need it. If you are concerned about your code potentially being buggy and do not want to rely only on your own smarts to avoid it - you need security tools. Tainting is one of such tools.
Tainting is a false security it makes you feel secure, when you aren't.
Well, everything is false security then, because I know of no remotely accessible system that didn't have one or other way to circumvent the access control. Programs have bugs, passwords can be stolen or guessed, etc. So I would propose to move away from generic statements to something more concrete.
First its off in production and that's where all the hacks appear, it will have holes due to unforeseen function usage, dynamic variables, false untainting etc...
You are saying tainting is no silver bullet? I couldn't agree more. But then again, nothing is :)
Good luck, I suppose on a base level it is entertaining seeing someone bang their head against the wall time and time again.
You could enjoy the entertainment or you could bring some tools and help bring the wall down :) Whatever you heart desires.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
