> On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <email@example.com>
>> How likely would it be for PHP to do Literal tracking of variables?
>> and I think it would be even more useful in PHP.
>> We already know we should use parameterized/prepared SQL, but there is no
>> way to prove the SQL string hasn't been tainted by external data in large
>> projects, or even in an ORM.
>> This could also work for templating systems (blocking HTML injection) and
>> Internally it would need to introduce a flag on every variable, and a
>> single function to check if a given variable has only been created by
>> Unlike the taint extension, there should be no way to override this (e.g.
>> no taint/untaint functions); and if it was part of the core language, it
>> will continue to work after every update.
>> One day certain functions (e.g. mysqli_query) might use this information
>> generate a error/warning/notice; but for now, having it available for
>> checking would be more than enough.
> It is an interesting topic indeed! I remember that laruence wrote an
> extension for this a while ago, I have never tried it myself though. You
> can find it here: https://github.com/laruence/taint
I've been using that extension for a few years - laruence has done a
fantastic job with it.
But it can be a bit buggy; and due to it being a taint based system, with
the ability to taint/untaint, it introduces some problems.