Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33339
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35869 invoked by uid 1010); 19 Nov 2007 22:56:09 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 35853 invoked from network); 19 Nov 2007 22:56:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Nov 2007 22:56:09 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Windows 2000 SP4, XP SP1
Received: from [212.25.124.162] ([212.25.124.162:43454] helo=mx1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0A/FE-50425-88412474 for <internals@lists.php.net>; Mon, 19 Nov 2007 17:56:09 -0500
Received: from us-ex1.zend.com ([192.168.16.5]) by mx1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Tue, 20 Nov 2007 00:56:05 +0200
Received: from [192.168.16.91] ([192.168.16.91]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 19 Nov 2007 14:56:01 -0800
Message-ID: <47421481.6050802@zend.com>
Date: Mon, 19 Nov 2007 14:56:01 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: =?ISO-8859-1?Q?David_Z=FClke?= <dz@bitxtender.com>
CC: PHP internals <internals@lists.php.net>
References: <47401946.2050406@sektioneins.de> <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com> <4740B136.2080207@hardened-php.net> <4217C4AB-1725-4D54-95D0-82262DB012BC@pooteeweet.org> <21E0FBBA-645D-4883-A9A9-7BCDC74D74A1@bitxtender.com>
In-Reply-To: <21E0FBBA-645D-4883-A9A9-7BCDC74D74A1@bitxtender.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 19 Nov 2007 22:56:01.0529 (UTC) FILETIME=[5B350E90:01C82AFF]
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: stas@zend.com (Stanislav Malyshev)

> "Do, or do not. There is no try.". Or, in contemporary words: do things 
> 100% properly, but if that is not possible, take a step back and spare 
> the world some half arsed attempt.

It sounds nice, but from the practical point of view you can't make sure 
code is 100% tested and 100% secure. There always will be combinations 
of data, algorithm and state of the environment that you didn't think of 
and didn't test for. By your logic, thus all security solutions and all 
testing are useless. Obviously it is not so, and the reason for that is 
that every tol that allows us to cover more security "territory" and 
test for more problems is useful, even if it doesn't make your 
application never fail.
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com