Wrong again, different contexts have different validation criteria, unless you consider that tainting in PHP wont work. What's safe to print on screen may not be safe to execute or pass to the database etc...
I do not think the purpose of tainting is or should be to take this kind of decisions. The purpose of tainting is to force you - as application developer (as much as it is possible without actually looking over your shoulder and grabbing your hands :) to take this decision and not just forget about it. Many bugs are there not because somebody uses an input sanitized for exec as database query - people usually don't do that (though I can not say there's no app doing it - but I can certainly say it's not a routine way of action). However people routinely forget to take action on the input altogether - either because they delay it "for later" and then forget or because they are unfamiliar with the necessity of filtering and potential danger of passing the data. While there's no way to stop the user who purposefully wants to pass user-supplied data to dangerous function without filtering, there's certainly a way to warn a user that does it by mistake. That's the target.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
