On 19-Dec-06, at 11:06 AM, Alain Williams wrote:
It is quite true that a taint flag cannot *guarantee* to make a PHP
script
completely safe. Using a regex to untaint a value will not
guarantee that
you end up with a perfectly safe value -- partly because it depends
on what
you want to do with it.
Regex is the approach used by Perl to un-taint data, which is why I
chose to mention it. The problem I am trying to show you that you
seem to be stead-fast ignoring is that php variables are often used
in different contexts within the scope of the same script. There are
numerous applications where data would be escaped for MySQL output
and then the same data printed to screen. Given that mysql escaping
function would un-taint the data, no taint errors will be raised when
the same data is printed to screen. Which means while you code maybe
safe against SQL injection (not really though, due to charset tricks
with MySQL) it will definitely not be safe against XSS. It is my
opinion is that a false sense of security is far worse then knowing
your code may potentially have security holes.
The point is that most PHP programmers are not completely stupid,
agreed many
could be better experienced. But they can all read the following
health warning:
Untainting is only as good as the check that is used.
Let us be done with this discussion and agree (as the Perl & Ruby
people have)
that it is best to have a useful tool even if we can't make it 100%
perfect.
So you propose to give a partially working tool that promises data
security and then expect people not to rely on it 100% because it is
easy to
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
