[CMS Of Doom™]
Imagine bringing every HTTP Query Param and every god damn fucking POST var into to current code context.
"extract()" is one of the reasons why I have terminal PHPTSD.

Security hole, anyone? 😅

++ for PHPTSD

@ScriptCoded just a little 😘

@happygimp0 ❤

@ScriptCoded there is no security hole here. Because you need to have some security in order to have a hole on it.

At least he is extracting into local context. So if he would add the EXTR_SKIP flag or a prefix, it would actually be safe... but still bad pre-PHP4 style.

Not sure, why he is shooting himself with addslashes though - if it does what i expect it to do, it is actually worse than the extract...

https://developer.wordpress.org/ref...

Seems funky...

But extract should in this case only be valid for the __construct function call?

All in all, seems like bukkake.

One should never modify incoming input directly.

Validation - yes.

Sanitize... Better not.

Can lead to a pretty jolly goose chase

Care to explain what extract() does to someone who has 0 experience with PHP? 😄

@Lensflare

Let's say you have an associative array.

(Dict in Python)

array(
'test' => "foo"
)

extract then creates a variable named test in the current scope with the value "foo". If a variable test already exists, it's overridden. The behaviour is controlled by flags passed to the function.

... so if you pass it an array like $_GET, which contains all variables passed in via parameters in a GET request, it will create all local variables with the name of parameter and value of parameter.

Which is is not recommended at all, as you're blindly pumping external / user provided data in the local context.

@IntrusionCM thanks.

From PHP.net… in no uncertain terms…

Warning
Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).