psalm/docs/security_analysis/custom_taint_sinks.md

# Custom Taint Sinks

The `@psalm-taint-sink <taint-type> <param-name>` annotation allows you to define a taint sink.

Any tainted value matching the given [taint type](index.md#taint-types) will be reported as an error by Psalm.

### Example

Here the `PDOWrapper` class has an `exec` method that should not receive tainted SQL, so we can prevent its insertion:

```php
<?php

class PDOWrapper {
    /**
     * @psalm-taint-sink sql $sql
     */
    public function exec(string $sql) : void {}
}
```
Add taint docs 2020-06-19 17:56:04 +02:00			`# Custom Taint Sinks`

More better docs 2020-06-19 17:57:34 +02:00			The `@psalm-taint-sink <taint-type> <param-name>` annotation allows you to define a taint sink.

			`Any tainted value matching the given [taint type](index.md#taint-types) will be reported as an error by Psalm.`

			`### Example`

Fix minor typos in docs (#3956) While I was searching for some code, ran across these. 2020-08-08 14:09:41 +02:00			Here the `PDOWrapper` class has an `exec` method that should not receive tainted SQL, so we can prevent its insertion:
Add taint docs 2020-06-19 17:56:04 +02:00
			```php
			`<?php`

			`class PDOWrapper {`
			`/**`
			`* @psalm-taint-sink sql $sql`
			`*/`
			`public function exec(string $sql) : void {}`
			`}`
			```