Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87209 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86347 invoked from network); 17 Jul 2015 14:16:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jul 2015 14:16:36 -0000 Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 74.125.82.52 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 74.125.82.52 mail-wg0-f52.google.com Received: from [74.125.82.52] ([74.125.82.52:34443] helo=mail-wg0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F0/C0-07733-14E09A55 for ; Fri, 17 Jul 2015 10:16:35 -0400 Received: by wgkl9 with SMTP id l9so83325932wgk.1 for ; Fri, 17 Jul 2015 07:16:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=iAr4YtivrpYbsUBHYhOQ1BFIO4aPCGdd9/n9JRkiPLA=; b=YGMzc1J256uZgXzEbY9zPOLa6PButm0pk5Q4Xcg4Wt0Xtft6W2Y4naQUjprpsT5hY8 NcGjOXr3tySod48oRmTX7B5luwrrSsTiiZI6gB03sYrPSfHSjJY9xa7FFBiACvXSZoZa c5doxPJYDCRyHX8MEIwWzAwDvMYEi8o8xRgvE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:message-id:mime-version :subject:date:references:to:in-reply-to; bh=iAr4YtivrpYbsUBHYhOQ1BFIO4aPCGdd9/n9JRkiPLA=; b=T1zleCqHGiOaorCyYPXodO8X/1uDo5IjdFulTOJksXR1BZb8+L+R4ZsyZTaZ1uvJPw IWyz9bMyWpdWXJNJILgsl7UdqUhD3zFfqxh5QfqZTf+pPeLCtdGEkEhgyt62MVq5D3ec No4CVQYQiLFuyl9jnN9JO+R8ipgLK9ER8OwJVZYvv1K5WpwCxlh+NnrjYSr0ciM6rl4O bBbwEX7Pft2rVwV0nj4e/GVrqoErn1SSljmjzBjnBowYpd7qu6VsoS4cSJymPQO+o6Yl 7uKYZJfzAYIq0A1mforjn1RCydGYUEgM9QUaUetxNyk9eoAWenRaW9RDjCi+iR8xk0iq 2eBQ== X-Gm-Message-State: ALoCoQng7Isra08uK8l3YJQTij0J6tY4TNlur+KvJPi8YBLWZWFbPm5OynTkJSC5M7tjK0UKxcmD X-Received: by 10.180.72.145 with SMTP id d17mr16023240wiv.69.1437142590799; Fri, 17 Jul 2015 07:16:30 -0700 (PDT) Received: from [192.168.1.12] (cpc4-chap7-2-0-cust64.aztw.cable.virginm.net. [92.233.53.65]) by smtp.gmail.com with ESMTPSA id i6sm18565564wjf.29.2015.07.17.07.16.29 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Jul 2015 07:16:30 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_317C5436-702C-4319-AA12-9E18AD34F290" Message-ID: Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Date: Fri, 17 Jul 2015 15:16:28 +0100 References: <872B5165-6A87-4024-BB9D-514E83A22E6F@craigfrancis.co.uk> To: PHP internals In-Reply-To: X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] [RFC] String Types (security) From: craig@craigfrancis.co.uk (Craig Francis) --Apple-Mail=_317C5436-702C-4319-AA12-9E18AD34F290 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 17 Jul 2015, at 14:08, Mats Lindh wrote: > On Fri, Jul 17, 2015 at 3:03 PM Craig Francis = wrote: > I'm looking at creating an RFC to address security issues that relate = to poor string handling / escaping, such as SQL-Injection, XSS, etc. > =20 > You probably want to related this to the existing RFC for "taint" = support for variables and the changes needed to make it work (there is = also an experimental PECL extension available) On 17 Jul 2015, at 14:55, Bishop Bettini wrote: > Sounds like you are describing the taint extension Thanks Mats and Bishop. That is pretty much identical to what I'm after (although I would like = to suggest some changes). It's a shame it looks like the PECL extension hasn't been touched since = 2013 (PHP 5.4), and the RFC is from 2008... so I suspect this isn't = going anywhere. Do you know if there is anything I can do to help get it going again? = (I'm not a C developer, so its probably not a good idea for me to be = playing with variables like this... I know enough to realise that = mistakes here would result in some pretty big security and performance = issues). Craig --Apple-Mail=_317C5436-702C-4319-AA12-9E18AD34F290--