Skip to content
Taint is a PHP extension, used for detecting XSS codes
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
tests Fixed ISSUE #61 Jun 22, 2018
travis Add Travis Aug 26, 2012
.travis.yml enable 7.1&7.2 testing Jan 2, 2018
CREDITS Fixed windows build (Issue #23) Jun 24, 2015
EXPERIMENTAL - Support separation caused by send_ref Feb 18, 2012
LICENSE Add LICENSE Oct 27, 2015 Add note about hiding errors Feb 9, 2017
config.m4 initial version Feb 13, 2012
config.w32 initial version Feb 13, 2012
php_taint.h back to dev Dec 12, 2018
taint.c Merge pull request #60 from fate0/master Jun 22, 2018


Build Status

php extension used to detect XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.

The idea is from, I implemented it in a php extension which make the patch no-needed.

Please note that do not enable this extension in product env, since it will slowdown your app.


  • PHP-5.2 +


taint is an PECL extension, thus you can simply install it by:

pecl install taint

Compile taint in Linux

$./configure --with-php-config=/path/to/php-config/
$make && make install


When taint is enabled, if you pass a tainted string(comes from $_GET, $_POST or $_COOKIE) to some functions, taint will warn you about that.

$a = trim($_GET['a']);

$file_name = '/tmp' .  $a;
$output    = "Welcome, {$a} !!!";
$var       = "output";
$sql       = "Select *  from " . $a;
$sql      .= "ooxx";

echo $output;

print $$var;



The above example will output something similar to:

Warning: main() [function.echo]: Attempt to echo a string that might be tainted

Warning: main() [function.echo]: Attempt to print a string that might be tainted

Warning: include() [function.include]: File path contains data that might be tainted

Warning: mysql_query() [function.mysql-query]: SQL statement contains data that might be tainted

If you need to hide the errors for a particular script, you can:

ini_set('taint.error_level', 0);
You can’t perform that action at this time.