Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27031 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87102 invoked by uid 1010); 16 Dec 2006 02:32:18 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 87087 invoked from network); 16 Dec 2006 02:32:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2006 02:32:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4) Received: from [212.25.124.162] ([212.25.124.162:60584] helo=mail.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0E/13-10210-E8A53854 for ; Fri, 15 Dec 2006 21:32:18 -0500 Received: (qmail 26319 invoked from network); 16 Dec 2006 02:30:09 -0000 Received: from office.zend.office (HELO ?127.0.0.1?) (192.168.16.109) by internal.zend.office with SMTP; 16 Dec 2006 02:30:09 -0000 Message-ID: <45835A0F.2010809@zend.com> Date: Fri, 15 Dec 2006 18:29:35 -0800 Organization: Zend Technologies User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: Jordan Moore CC: internals@lists.php.net References: <61504d990612151712o622d26b7ta43d9bb74dd12c6d@mail.gmail.com> In-Reply-To: <61504d990612151712o622d26b7ta43d9bb74dd12c6d@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Run-time taint support proposal From: stas@zend.com (Stanislav Malyshev) Jordan Moore wrote: > So, what if an ISP (webhost) enables taint functionality, and a > developer uses a PHP library that uses custom filter functions for > filtering data. Will this developer see messages displayed on his PHP > application even though filtering is being done? Correctly implemented filtering library would untaint the data, of course. One of the TODOs might be providing API making easier to write such library. -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/