此PECL 扩展未与 PHP 捆绑。
运行时配置
这些函数的行为受php.ini中的设置影响。
| 名字 | 默认 | 可修改范围 | 更新日志 |
|---|---|---|---|
| taint.enable | 0 | PHP_INI_SYSTEM | |
| taint.error_level | E_WARNING | PHP_INI_ALL |
Functions and Statements which will spread the tainted mark of a tainted string
| Function/Statement | Since |
|---|---|
| = (assign) | 0.1.0 |
| . (concat) | 0.1.0 |
| "{$var}" (variable substitution) | 0.1.0 |
| .= (assign concat) | 0.1.0 |
| strval | 0.3.0 |
| explode/split | 0.3.0 |
| implode/join | 0.3.0 |
| sprintf | 0.3.0 |
| vsprintf | 0.3.0 |
| trim | 0.4.0 |
| rtrim | 0.4.0 |
| ltrim | 0.4.0 |
| strstr | 0.5.0 |
| str_pad | 0.5.0 |
| str_replace | 0.5.0 |
| substr | 0.5.0 |
| strtolower | 0.5.0 |
| strtoupper | 0.5.0 |
Functions and statements which will check tainted string
| Function/Statement | Since |
|---|---|
| Basic statments | |
| eval | 0.1.0 |
| include/include_once | 0.1.0 |
| require/require_once | 0.1.0 |
| Outputing Functions | |
| echo | 0.1.0 |
| 0.1.0 | |
| printf | 0.1.0 |
| file_put_contents | 0.1.0 |
| File System Functions | |
| fopen | 0.2.0 |
| opendir | 0.2.0 |
| basename | 0.2.0 |
| dirname | 0.2.0 |
| file | 0.2.0 |
| pathinfo | 0.2.0 |
| Database relevant Functions | |
| mysql_query | 0.2.0 |
| mysqli_query/MySQLi::query | 0.2.0 |
| sqlite_query/SqliteDataBase::query | 0.3.0 |
| sqlite_single_query/SqliteDataBase::singleQuery | 0.3.0 |
| oci_parse | 0.3.0 |
| PDO::query | 0.3.0 |
| PDO::prepare | 0.3.0 |
| SQLite3::query | 2.0.1 |
| SQLite3::prepare | 2.0.1 |
| Command Line relevant Functions | |
| system | 0.1.0 |
| exec | 0.1.0 |
| proc_open | 0.1.0 |
| passthru | 0.1.0 |
| shell_exec | 0.3.0 |
Functions which untaint the tainted string
| Function | Since |
|---|---|
| addslashes | 0.1.0 |
| addcslashes | 0.1.0 |
| htmlspecialchars | 0.1.0 |
| htmlentities | 0.1.0 |
| escapeshellcmd | 0.1.0 |
| mysql_escape_string | 0.1.0 |
| mysql_real_escape_string | 0.1.0 |
| mysqli_escape_string/MySQLi::escape_string | 0.1.0 |
| mysqli_real_escape_string/MySQLi::real_escape_string | 0.1.0 |
| sqlite_escape_string/SqliteDataBase::escapeString | 0.3.0 |
| PDO::quote | 0.3.0 |