On Tue, Dec 19, 2006 at 11:18:02AM -0500, Ilia Alshanetsky wrote: > > On 19-Dec-06, at 11:06 AM, Alain Williams wrote: > >It is quite true that a taint flag cannot *guarantee* to make a PHP > >script > >completely safe. Using a regex to untaint a value will not > >guarantee that > >you end up with a perfectly safe value -- partly because it depends > >on what > >you want to do with it. > > Regex is the approach used by Perl to un-taint data, which is why I > chose to mention it. The problem I am trying to show you that you > seem to be stead-fast ignoring is that php variables are often used > in different contexts within the scope of the same script. There are
Can happen in Perl/... as well. > numerous applications where data would be escaped for MySQL output > and then the same data printed to screen. Given that mysql escaping > function would un-taint the data, no taint errors will be raised when > the same data is printed to screen. Which means while you code maybe True. That is why I tell the people who I teach PHP to to do any escaping/... at the very last moment, then you know *how* to escape it. But very often I see people who do no data validation at all, or very little. They don't even check that a numeric field consists entirely digits. We can help them be aware of this sort of thing, this raises their general awareness that fields may contain ''nasties''. > safe against SQL injection (not really though, due to charset tricks > with MySQL) it will definitely not be safe against XSS. It is my > opinion is that a false sense of security is far worse then knowing > your code may potentially have security holes. I wear a seat belt when I drive my car because it will help me in many small accidents. I do not leave it off because it will be useless if a large truck decides to run me down. > So you propose to give a partially working tool that promises data > security and then expect people not to rely on it 100% because it is > easy to I propose to give a partially working tool that helps in the majority of cases. I am aware that it will not be a panacea but that it is preferable to nothing. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
