On Thu, 15 Aug 2019 at 21:37, Matthew Brown
wrote:
>
> If anything, this proposal would help user-land solutions (it gives them
>> more information while the code is in running).
>>
>
> Well, it might help runtime-based user-land solutions, but not static
> analysis-based solutions.
>
I mostly
> If anything, this proposal would help user-land solutions (it gives them
> more information while the code is in running).
>
Well, it might help runtime-based user-land solutions, but not static
analysis-based solutions.
In our bug disclosure program at Vimeo we've had no SQL injection issues
r
On Thu, 15 Aug 2019 at 7:43 pm, Matthew Brown
wrote:
> There are already some userland taint-checking solutions for PHP e.g. the
> Phan taint-check plugin from MediaWiki:
> https://www.mediawiki.org/wiki/Phan-taint-check-plugin
>
> I'm working on my own userland solution, too (based on Facebook's
There are already some userland taint-checking solutions for PHP e.g. the
Phan taint-check plugin from MediaWiki:
https://www.mediawiki.org/wiki/Phan-taint-check-plugin
I'm working on my own userland solution, too (based on Facebook's
approach). Demo is here: https://psalm.dev/r/ebb9522fea
On Thu, 15 Aug 2019 at 19:05, Benjamin Eberlei wrote:
> On Thu, Aug 15, 2019 at 8:03 PM Craig Francis
> wrote:
>
>> Hi,
>>
>> How likely would it be for PHP to do Literal tracking of variables?
>>
>> This is something that's being discussed JavaScript TC39 at the moment
>> [1],
>> and I think it
On Thu, Aug 15, 2019 at 8:03 PM Craig Francis
wrote:
> Hi,
>
> How likely would it be for PHP to do Literal tracking of variables?
>
> This is something that's being discussed JavaScript TC39 at the moment [1],
> and I think it would be even more useful in PHP.
>
> We already know we should use p
