Static analysis won't work well enough in PHP. I've been down that path and there's no way it'll be effective enough due to the dynamic nature of the langage. (In Java it can be much more successfully implemented).
Btw, I don't see someone doing that foreach and using untaint() being different from someone not filtering their input. If they knowingly write that code, then well, what can we do? They would screw up even without tainting. Andi > -----Original Message----- > From: Ilia Alshanetsky [mailto:[EMAIL PROTECTED] On Behalf Of > Ilia Alshanetsky > Sent: Tuesday, December 19, 2006 8:57 PM > To: Stanislav Malyshev > Cc: PHP internals; Wietse Venema > Subject: Re: [PHP-DEV] Run-time taint support proposal > > > On 19-Dec-06, at 4:21 PM, Stanislav Malyshev wrote: > > >> Wrong again, different contexts have different validation > criteria, > >> unless you consider that tainting in PHP wont work. > >> What's safe to print on screen may not be safe to execute > or pass to > >> the database etc... > > > > I do not think the purpose of tainting is or should be to take this > > kind of decisions. > > Then I see little need for having in PHP. All it means that > developers now need to write a untaint wrapper around all > incoming input to shut PHP annoyances up. I can guarantee you > a tons and tons of code that looks like this: > > foreach ($_GET as $k => $v) { > $_GET[$k] = untaint($v); > } > > While there maybe some benefit to doing a scan and checking > if a raw user data is passed without being modified IMO it > does not need to be part of the engine. It can surely be a > separate extension and offer the same functionality, more > over it can analyze the code without having it be executed. > In fact I'd wager you don't even need C for this, it can be > done reasonably effectively with the tokenizer extension. > > Ilia Alshanetsky > > -- > PHP Internals - PHP Runtime Development Mailing List To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
