On Tue, Dec 19, 2006 at 06:05:25PM +0100, Lukas Kahwe Smith wrote: > Alain Williams wrote: > > > >I propose to give a partially working tool that helps in the majority > >of cases. I am aware that it will not be a panacea but that it is > >preferable > >to nothing. > > A non context aware taint will fail in the majority of use cases.
You are thinking about it from the wrong end. The point of taint checking is to remind the programmer to check that all input fields pass suitable checks for whatever the field is supposed to be; thus: age is numeric, sex is 'm' or 'f', price matches \d+\.\d{2} etc. Many fields will have more complicated validation than that. These fields can then be operated on directly, eg: $_GET['age'] > 21 will not fail because the age is 'slkfjslfkj'. Some fields may then need to be 'sent' somewhere, eg inserted into a database or output to the next web page. In that case passing the field through mysql_escape_string() or htmlspecialchars() may be needed. Tainting is designed to remind that input validation has not been done. There was a suggestion of checking that it was suitable to be 'sent' to the appropriate 'output stream' but that was rejected as too complicated. -- Alain Williams Parliament Hill Computers Ltd. Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php