On 19-Dec-06, at 4:21 PM, Stanislav Malyshev wrote:
Wrong again, different contexts have different validation
criteria, unless you consider that tainting in PHP wont work.
What's safe to print on screen may not be safe to execute or pass
to the database etc...
I do not think the purpose of tainting is or should be to take this
kind of decisions.
Then I see little need for having in PHP. All it means that
developers now need to write a untaint wrapper around all incoming
input to shut PHP annoyances up. I can guarantee you a tons and tons
of code that looks like this:
foreach ($_GET as $k => $v) {
$_GET[$k] = untaint($v);
}
While there maybe some benefit to doing a scan and checking if a raw
user data is passed without being modified IMO it does not need to be
part of the engine. It can surely be a separate extension and offer
the same functionality, more over it can analyze the code without
having it be executed. In fact I'd wager you don't even need C for
this, it can be done reasonably effectively with the tokenizer
extension.
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
