String type should be split into SQL, HTML and Unsafe (normal)

[rjmunro]

Could PHANTM be modified to detect SQL and XSS injection attacks by having separate types for different strings? If a mysql_query() gets a string that isn't SQL safe, it's counted as an error. Similarly if an echo or print statement gets a string that isn't HTML safe.

htmlentities() should return HTML safe strings. mysql_real_escape() should return SQL safe strings. Hard coded strings shuold be considererd safe as both SQL and HTML until they are concatenated with something that isn't.

PHP-sat detects this kind of thing, but only works on old PHP 4 code, and it doesn't do the other stuff that PHANTM does.

[psuter]

Hi,

yes the change you're mentioning is definitely possible, and we in fact thought about several approaches to making Phantm detect such vulnerabilities.

Would you have an immediate use for this functionality? Ideally, we would love to hear about evaluation results, although we understand people do not always have the liberty to share such information.

Regards,
PS