PHP taint support update

2008/4/24 Wietse Venema wietse@porcupine.org:

FYI,

Taint support for PHP 5.2.5 has been updated. The 20080423 version
improves support for PCRE, and fixes a harmless read-after-free bug.

The primary goal of this code is to help PHP application programmers
find and eliminate opportunities for HTML script injection, SQL or
shell code injection, or PHP control hijacking. It's off by default,
but can be configured to produce warnings or to terminate execution.

User-mode "make test" run-time overhead is 0.5-1.5%, as measured
on two different CPUs with the same OS and the same PHP executables.
The bench.php overhead is 2%, and presents a worst-case number for
compute-bound PHP applications that spend their entire life iterating
over tiny loops.

For more info, you can find links off http://wiki.php.net/rfc/taint/

I presented a talk this week to the NYPHP users group. You can find
a copy of my slides at http://www.nyphp.org/content/presentations/

   Wietse

--

I just can't express my feelings about this extension. It's just fantastic.
Can't wait untill it's going stable and added to PECL, I have code witch is
needed to be tested exactly with this extension :)