Re: [RFC] String Types (security)
On 17 Jul 2015, at 14:08, Mats Lindh <[email protected]> wrote:
> On Fri, Jul 17, 2015 at 3:03 PM Craig Francis <[email protected]> wrote:
> I'm looking at creating an RFC to address security issues that relate to poor string
> handling / escaping, such as SQL-Injection, XSS, etc.
>
> You probably want to related this to the existing RFC for "taint" support for
> variables and the changes needed to make it work (there is also an experimental PECL extension
> available)
On 17 Jul 2015, at 14:55, Bishop Bettini <[email protected]> wrote:
> Sounds like you are describing the taint extension
Thanks Mats and Bishop.
That is pretty much identical to what I'm after (although I would like to suggest some
changes).
It's a shame it looks like the PECL extension hasn't been touched since 2013 (PHP 5.4),
and the RFC is from 2008... so I suspect this isn't going anywhere.
Do you know if there is anything I can do to help get it going again? (I'm not a C developer,
so its probably not a good idea for me to be playing with variables like this... I know enough to
realise that mistakes here would result in some pretty big security and performance issues).
Craig
Thread (3 messages)