Taint Analysis¶
Taint analysis is a security technique used to identify and trace potentially unsafe or untrusted data as it flows through a program. In the context of web development, taint analysis is often employed to find security vulnerabilities related to user input and data handling.
The basic idea behind taint analysis is to track and label data that originates from untrusted sources, such as user input, and then trace how this tainted data is used throughout the application. By identifying and monitoring the flow of tainted data, developers can better understand and mitigate potential security risks, such as injection attacks (e.g., SQL injection, cross-site scripting) and other vulnerabilities.
There was a taint extension in PHP until PHP 8.0. It was not ported further.
<?php
$a = trim($_GET['a']);
$output = "Welcome, {$a} !!!";
echo $output;
//Warning: main() [function.echo]: Attempt to echo a string that might be tainted
?>
See also Secure Your PHP Code With Taint Analysis by Qodana.
