David Zülke wrote: > An untaint() approach - all for it (yes, the noobs that don't give a > damn are going to use it because "it just works", but no, that shouldn't
Most people here seem to agree that it would be valuable tool for themselves to be able to taint/untaint data. Wietse's approach is very programmer friendly (few false positives, little impact on code performace which is handy even on development systems) and the only major drawback seems to be the perception it could create: "No warnings means you're safe". I see it as an additional tool and could live with a very basic interface (two or three taint bits I can set, clear and check) but have to admit that Wietse's approach and enhancened comfort fits very well in our world. The filter mechanism sits at the wrong end of the chain for us: We want to keep data in its original state as long as possible and sanitize it once it is used. Not having a tool for this at all seems like a big loss to me so I hope we can agree on something (even if it is a minimalistic Zend extension to allow a PECL module for taint). - Chris -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
