> On Sep 14, 2015, at 1:35 PM, Kalle Sommer Nielsen <ka...@php.net> wrote: > > Hi Christopher > > 2015-09-14 4:44 GMT+02:00 Christopher Owen <christopher.o...@live.com>: >> Please consider making ‘taint’ a first-class feature/extension in PHP 7.0. > > It is way too late for any extension to be included in the 7.0 release > now, but you can write an RFC targetting 7.1, please see the wiki for > more details[1].
Thank you for the advice; it makes much more sense to target 7.1. We can see that Wietse Venema; the same man who wrote the highly regarded, security hardened email software Postfix; has authored an RFC for taint's inclusion to PHP the past [1]. Also, a reference implementation has been most recently championed by Xinchen (Laruence) Hui, a core php developer [2]. Given those that came before me, I’m not certain that I can add much in the way of reputation or skill to the request to add taint as a first-class feature of PHP 7.1, but if there are any procedural efforts required then I will be happy to champion them. I can add that I have personally found taint (either in its original form in perl[3] or as an extension in php) a valuable tool in refactoring legacy php code to reduce SQL injection attack surface. As authorative internet ‘top ten’ lists will list SQL injection as the number one security vulnerability facing web applications [4] and given the scale of deployed php, efforts to improve tooling (or in this case, the availability of existing tooling) to discover this class of vulnerabilities will have a positive impact on a global scale. Kind regards, Christopher Owen. [1] https://wiki.php.net/rfc/taint <https://wiki.php.net/rfc/taint> [2] http://pecl.php.net/package/taint <http://pecl.php.net/package/taint> [3] http://perldoc.perl.org/perlsec.html#Taint-mode <http://perldoc.perl.org/perlsec.html#Taint-mode> [4] http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf <http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf>
