Max, Scott and I worked on taint support for PHP.
The idea is to detect & prevent security bugs such as SQL injections, shell injection, XSS, etc.
Taint support implies keeping track of which strings are controlled externally. The main implementation difficulty is making sure that the taint related code does not spread through the entire compiler. Max came up with a clever design involving a TaintObserver object.
Unfortunately, tracking taint currently implies a big performance loss and cannot be enabled site-wide.