User: Password:
Subscribe / Log in / New account

The state of PHP security

The state of PHP security

Posted Dec 21, 2006 9:45 UTC (Thu) by kleptog (subscriber, #1183)
Parent article: The state of PHP security

One thing that would possibly help a bit would be tainting data, like perl can do. Thus even with register_globals on, the programmer couldn't accedently use tainted data in include() or eval(). It would also catch people concatentating strings to send to the database.

It doesn't help completely with SQL injection ofcouse, and not at all for cross-site scripting, but it would help catch some of the worst excesses.

(Log in to post comments)

The state of PHP security

Posted Dec 21, 2006 16:54 UTC (Thu) by alanjwylie (subscriber, #4794) [Link]

Wietse Venema, the well known hacker - author of Postfix, TCPWrapper,
SATAN and The Coroner's Toolkit - recently posted to the PHP developers'
mailing list proposing adding run-time taint support.

an easier to read threaded view of the discussion:

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds