Введение
Taint is an extension, which is used for detecting XSS codes(tainted string). And also can be used to spot sql injection vulnerabilities, and shell inject, etc.
When taint is enabled, if you pass a tainted string (comes from $_GET, $_POST or $_COOKIE) to some functions, taint will warn you about that.
Пример #1 Taint()example
<?php
$a = trim($_GET['a']);
$file_name = '/tmp' . $a;
$output = "Welcome, {$a} !!!";
$var = "output";
$sql = "Select * from " . $a;
$sql .= "ooxx";
echo $output;
print $$var;
include($file_name);
mysql_query($sql);
?>
Результатом выполнения данного примера будет что-то подобное:
Warning: main() [function.echo]: Attempt to echo a string that might be tainted Warning: main() [function.echo]: Attempt to print a string that might be tainted Warning: include() [function.include]: File path contains data that might be tainted Warning: mysql_query() [function.mysql-query]: SQL statement contains data that might be tainted
Коментарии
I'm wondering about the quality of this PHP extension, specifically:
1. Are there any known bugs or limitations?
2. How does enabling it affect the performance of a typical system?
3. Would I be foolish to use it in PROD? Yes, yes, I know *not* using Taint in PROD is risky, that is why I want to use it! But I need to know the risks associated with using it in order to be able to make a rational decision.
Also, is this the same as the PECL package developed by Weitse Venema following PHP RFC for Taint (https://wiki.php.net/rfc/taint) or does it differ significantly in any way?