| |||||||||||||
|
| |||||||||||||
The state of PHP securityThe state of PHP securityPosted Dec 21, 2006 9:45 UTC (Thu) by kleptog (subscriber, #1183)Parent article: The state of PHP security
One thing that would possibly help a bit would be tainting data, like perl can do. Thus even with register_globals on, the programmer couldn't accedently use tainted data in include() or eval(). It would also catch people concatentating strings to send to the database.
It doesn't help completely with SQL injection ofcouse, and not at all for cross-site scripting, but it would help catch some of the worst excesses.
(Log in to post comments)
The state of PHP security Posted Dec 21, 2006 16:54 UTC (Thu) by alanjwylie (subscriber, #4794) [Link] Wietse Venema, the well known hacker - author of Postfix, TCPWrapper,SATAN and The Coroner's Toolkit - recently posted to the PHP developers' mailing list proposing adding run-time taint support.
http://news.php.net/php.internals/26979
an easier to read threaded view of the discussion:
|
|
||||||||||||