> If anything, this proposal would help user-land solutions (it gives them > more information while the code is in running). >
Well, it might help runtime-based user-land solutions, but not static analysis-based solutions. In our bug disclosure program at Vimeo we've had no SQL injection issues reported, but a number of XSS issues (echoing attacker-controlled data), and those issues cannot so easily be prevented by this technique as there's generally little reason to echo literal values. I can also think of a number of user-constructed SQL queries (e.g. WHERE ... IN) that require non-literal values to work (if this were to come to pass there might be a set of special `unsafe` methods).
