View Single Post
  #4   (View Single Post)  
Old 15th November 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
Join Date: Apr 2008
Location: New Zealand
Posts: 2,201

Right, that sounds pretty useful.

At least in Python and Javascript, and I suspect in Ruby and Perl, this would actually be fairly easy to implement, for example in Python you can use:

>>> class Myint(int):
...   myprop = 0
>>> var = MyInt(42)
>>> var
>>> var.myprop
>>> var.myprop = 1
>>> var
>>> var.myprop
You just subclass the int type (it's just an object) and add a new property: You can then use this property to flag if the variable has been escaped, you would only need a "custom" escape() and query() function which sets/checks it. Actually, it may be best to just add an escape() method.

Anyhow, I once looked at implementing something like this in PHP. At my previous employer I had built a webshop, originally, all the prices should be displayed with VAT, but then later (naturally, after the whole thing was finished & was live ) there was a request for users to toggle prices display with or without VAT.
My original idea was similar to the above: Create a new int type, add a flag "VAT", and use that to calculate the correct price on invoices and so forth, this would provide the maximal flexibility and the least coding.
As far as I could find, there is no real way to do this in PHP

There are workarounds: you can extend the ArrayObject or StdObject, and using that you can *simulate* "custom types" and flag if the variable was escaped, but IMHO it's a lot less cleaner than the above example in Python ...

But with sufficient planning and design, you could use it to implement taint checking ... Perhaps some of the frameworks like Doctrine already do something like this (Or use a different approach?).
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote