Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:38693
Return-Path: <wietse@porcupine.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6539 invoked from network); 1 Jul 2008 22:22:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Jul 2008 22:22:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=wietse@porcupine.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=wietse@porcupine.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error)
X-PHP-List-Original-Sender: wietse@porcupine.org
X-Host-Fingerprint: 168.100.189.2 spike.porcupine.org FreeBSD 2.0-4.2
Received: from [168.100.189.2] ([168.100.189.2:4078] helo=spike.porcupine.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B6/7B-06277-93EAA684 for <internals@lists.php.net>; Tue, 01 Jul 2008 18:22:49 -0400
Received: by spike.porcupine.org (Postfix, from userid 1001)
	id AEF6A1F3EA1; Tue,  1 Jul 2008 18:22:46 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=porcupine.org;
	s=dktest; t=1214950966; bh=KlJ/tQOqi1lQdXLuWCV2fg1ZUEaQiZ1emOR5lrsY
	hl4=; h=To:Subject:Message-Id:Date:From; b=kpEUgtA3rF1EB22BUVYKS4gG
	8NofhOy2Tv8whcHv9DimlSbTGbjEZRnqoxgmBWWAaUHcVt3GHVSFEWk6O7VZR7Ilw0q
	ccUTeaGSaoVD8LXS/DWaaOI2y+y+NgANomuxEFLdCSBE0hQejM51W/p8dtpxbuA0zUC
	SdRva8sF6WfU8=
To: internals@lists.php.net
Message-ID: <20080701222246.AEF6A1F3EA1@spike.porcupine.org>
Date: Tue,  1 Jul 2008 18:22:16 -0400 (EDT)
Subject: PHP+taint, Windows binaries
From: wietse@porcupine.org ((Wietse Venema))

This is an update on my preliminary implementation of support for
tainted variables in PHP. To get more feedback from developers with
Windows systems, I have built Win32 binaries. These are available
in ZIP and Windows installer format from http://wiki.php.net/rfc/taint/
and are compatible with the binaries from http://www.apache.org/

As a reminder, the goal of this project is to help PHP application
programmers find and eliminate opportunities for HTML code injection
(i.e. XSS), SQL or shell code injection, or PHP control hijacking,
before other people can exploit them. With 1% run-time overhead,
taint support may also be used as a safety net in production.  The
preliminary implementation provides taint support for basic operators,
for a selection of built-functions and extensions (pcre, mysql,
mysqli), and for the Apache server APIs.

For source, binaries and more please see http://wiki.php.net/rfc/taint/

        Wietse