is php "last year"

[robmiller]

Taint checking for what? SQL? HTML? NULL bytes? New lines?

Each have their different reasons for security, and different situations in which they need escaping or removing.

It's impossible to fool proof a variable/value for all purposes, unless you unset it.

There are situations where the checks/removal/escaping will be a PITA.. such as logging SQL queries to a text file on error, you want to see the raw input from the user, not the pre-escaped version of it.

Taint checking just stops you using a variable until you've explictly said that it's clean. I know Perl in -T mode does it for DB queries but I'm not sure about prints; I'm sure it does, though. It's not particularly difficult to do and enforces security checking which is a good thing.

How does ASP.NET handle this? I've only ever used C# for console/Win Forms stuff so I don't know.