On 15-Dec-06, at 6:28 PM, Stanislav Malyshev wrote:
I'd say you have pretty weird code if you do include $_POST
['VAR']; and yet people do exactly that.
And if we had tainting, people would know it's bad, and would know
why. :)
Bitmask identifying different taint modes.
Can you elaborate which modes do you propose?
Well, for one you would need to identify different escape methods for
different data uses, so let's make a quick (and incomplete) list:
1) Command execution validation
2) Safe for command execution parameter validation
3) Output to screen validation
4) Database validation (you'd need one bit for every database, since
special chars in one db do not equate to another)
Here is another problem because some DBs like PostgreSQL require
different treatment of binary and text data, you are going to have an
interesting problem, since escaping binary data will corrupt it.
5) Safe for HTTP headers validation
6) Safe to pass to include/eval/etc...
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
