The state of PHP security
Posted Dec 21, 2006 9:45 UTC (Thu) by kleptog
Parent article: The state of PHP security
One thing that would possibly help a bit would be tainting data, like perl can do. Thus even with register_globals on, the programmer couldn't accedently use tainted data in include() or eval(). It would also catch people concatentating strings to send to the database.
It doesn't help completely with SQL injection ofcouse, and not at all for cross-site scripting, but it would help catch some of the worst excesses.
to post comments)