But there was also a more annoying part. I have to divide the internal functions of PHP into three major categories:
- Functions that can return tainted data
- Functions that can untaint data
- Functions that are sensitive sinks
When I was going over the list I also made a list of functions of which the information should not go to the user. Such as functions that retrieve all kind of information about the system.
It is interesting to check out which functions PHP has, but it becomes less interesting when there are over 3500(!) internal functions. So I spend my day was with reading function-descriptions, but I have at least seen all functions. I will explain some more things about the categories tomorrow. I will also add some stuff to the tool that will make it actually use full :)