Re: [RFC] String Types (security)

From: Bishop Bettini Date: Fri, 17 Jul 2015 13:55:54 +0000

Subject: Re: [RFC] String Types (security)

References: 1 Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

On Fri, Jul 17, 2015 at 9:00 AM, Craig Francis <[email protected]>
wrote:

> Hi,
>
> I'm looking at creating an RFC to address security issues that relate to
> poor string handling / escaping, such as SQL-Injection, XSS, etc.
>

Sounds like you are describing the taint extension
<http://php.net/manual/en/intro.taint.php>:

*Taint is an extension, which is used for detecting XSS codes(tainted
string). And also can be used to spot sql injection vulnerabilities, and
shell inject, etc.*

*When taint is enabled, if you pass a tainted string (comes from $_GET,
$_POST or $_COOKIE) to some functions, taint will warn you about that.*

See also the taint RFC <https://wiki.php.net/rfc/taint>.

Regards,
bishop

Thread (3 messages)

Craig FrancisFri, 17 Jul 2015 13:00:18 +0000
Bishop BettiniFri, 17 Jul 2015 13:55:54 +0000
Craig FrancisFri, 17 Jul 2015 14:16:28 +0000

« previous	php.internals (#87208)	next »

From:	Bishop Bettini	Date:	Fri, 17 Jul 2015 13:55:54 +0000
Subject:	Re: [RFC] String Types (security)
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message