Then I see little need for having in PHP. All it means that developers
now need to write a untaint wrapper around all incoming input to shut
PHP annoyances up. I can guarantee you a tons and tons of code that
No, they need to use recommended ways to work with variables - like
filters and other untainters.
looks like this:
foreach ($_GET as $k => $v) {
$_GET[$k] = untaint($v);
}
Well, you could also write script <?php exec($_GET['command']); ?>, put
it as default index page of your site and advertise it on Google. We are
not to struggle with people which want to break it. We are to help
people which want to use it. It is NOT security restriction system, it's
OS task. It is help system.
While there maybe some benefit to doing a scan and checking if a raw
user data is passed without being modified IMO it does not need to be
part of the engine. It can surely be a separate extension and offer the
All these things are interesting and may be done, but this is not
related to taint mode and its purposes. It is OK to discuss them, but
let's change the subject line then :)
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED] http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
