So my conclusion at this point is, that very frequently taint will not improve the security significantly because any given input will still be usable in an unfiltered/incorrectly filtered way for at least one context. As such it just adds code at the very core of php that provides too little of a benefit to be worthwhile.
I disagree - you describe scenario where the user chooses to insufficiently or wrongly sanitize the data, and since tainting can not protect from it you say tainting is not useful. However, as I already said, tainting is not supposed to do that. It's like blaming computer OS for not preventing somebody from stealing the laptop with it :) Tainting IS NOT supposed to cure all your security problems. It is supposed to help YOU deal with some of them.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
