Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:35055 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14786 invoked by uid 1010); 31 Jan 2008 08:13:27 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 14770 invoked from network); 31 Jan 2008 08:13:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jan 2008 08:13:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=mark@dynom.nl; spf=unknown; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mark@dynom.nl; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain dynom.nl does not designate 85.92.132.6 as permitted sender) X-PHP-List-Original-Sender: mark@dynom.nl X-Host-Fingerprint: 85.92.132.6 smtp1.duximus.nl Linux 2.5 (sometimes 2.4) (4) Received: from [85.92.132.6] ([85.92.132.6:56476] helo=smtp1.duximus.nl) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CE/57-49295-42381A74 for ; Thu, 31 Jan 2008 03:13:25 -0500 Received: by smtp1.duximus.nl (Postfix, from userid 501) id 8EC4AB00E86; Thu, 31 Jan 2008 09:13:21 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on dux03.duximus.nl X-Spam-Level: X-Spam-Status: No, score=-2.5 required=1.8 tests=AWL,BAYES_00 autolearn=ham version=3.1.9 Received: from localhost (dux03.duximus.nl [127.0.0.1]) by smtp1.duximus.nl (Postfix) with ESMTP id C260BB0093A for ; Thu, 31 Jan 2008 09:13:18 +0100 (CET) X-Virus-Scanned: amavisd-new at duximus.nl Received: from smtp1.duximus.nl ([127.0.0.1]) by localhost (dux03.duximus.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hqv6QLE6U7Xx for ; Thu, 31 Jan 2008 09:13:17 +0100 (CET) Received: from dux05.duximus.nl (unknown [85.92.132.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp1.duximus.nl (Postfix) with ESMTP id B2AFBB00932 for ; Thu, 31 Jan 2008 09:13:17 +0100 (CET) Received: from localhost ([127.0.0.1] helo=[192.168.0.168]) by dux05.duximus.nl with esmtpa (Exim 4.60) (envelope-from ) id 1JKUYA-0005oc-3f for internals@lists.php.net; Thu, 31 Jan 2008 09:13:34 +0100 Message-ID: <47A1831D.6040308@dynom.nl> Date: Thu, 31 Jan 2008 09:13:17 +0100 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: internals@lists.php.net References: <20080131011302.8B9D71F3E98@spike.porcupine.org> In-Reply-To: <20080131011302.8B9D71F3E98@spike.porcupine.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP taint support updated From: mark@dynom.nl (Mark van der Velden) Wietse Venema wrote: > I've uploaded a new version of taint support for PHP. You can find > all the files via: > > ftp://ftp.porcupine.org/pub/php/index.html > > [..] > > For examples and details, see the README file, also on-line at: > > ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080130.README.html > > I need your feedback to make this code complete. I hope to do > several quick 1-2 month release cycles in which I collect feedback, > fill in missing things, and adjust course until things stabilize. I must say I like the idea, but I'm not too fond about the error handling. For it to help with (especially) the unexperienced programmers it should be enabled by default, which automatically is going to break a lot of websites if put in production environments. However turning it off by default isn't going to help, most people don't even set their error_reporting() to a respectable setting, let alone a new setting. And how does this work with the Filter ( http://docs.php.net/filter ) extension ? > > Wietse > - Mark