On Fri, May 21, 2021 at 11:21 PM Craig Francis
wrote:
> [...]
>
> We need something that libraries will (in the future) be able to use to
> protect themselves against these mistakes... by all programmers, especially
> those who aren't using static analysis.
>
Hi,
Not sure what kind of answer yo
Fine, I'll finish with this...
We know that HTML [3] and SQL [4] should be written by the programmer, with
user data being handled *separately*.
The same applies to OS Commands:
$command = 'rm -rf ?';
Because we're using parameters (to escape the user values properly), we
don't need to consid
Hi Internals,
To follow up on yesterdays post [1]...
We *could* try to teach programmers to never make a mistake (yep, you can
stop laughing).
Take the previous example:
$html = "";
We might be able to teach everyone to always quote their attributes (or use
a different form of encoding):
