On 17 Jul 2015, at 14:08, Mats Lindh <mats.li...@gmail.com> wrote: > On Fri, Jul 17, 2015 at 3:03 PM Craig Francis <cr...@craigfrancis.co.uk> > wrote: > I'm looking at creating an RFC to address security issues that relate to poor > string handling / escaping, such as SQL-Injection, XSS, etc. > > You probably want to related this to the existing RFC for "taint" support for > variables and the changes needed to make it work (there is also an > experimental PECL extension available)
On 17 Jul 2015, at 14:55, Bishop Bettini <bis...@php.net> wrote: > Sounds like you are describing the taint extension Thanks Mats and Bishop. That is pretty much identical to what I'm after (although I would like to suggest some changes). It's a shame it looks like the PECL extension hasn't been touched since 2013 (PHP 5.4), and the RFC is from 2008... so I suspect this isn't going anywhere. Do you know if there is anything I can do to help get it going again? (I'm not a C developer, so its probably not a good idea for me to be playing with variables like this... I know enough to realise that mistakes here would result in some pretty big security and performance issues). Craig
