In one of my recent lectures, the lecturer* told the class to use the PHP extract() function.
I hadn’t previously come accross extract(), so I looked it up… and was horrified (and slightly amused) that he was recommending it.
It was pretty obvious that using extract() is almost as bad as having register_globals turned on. (See the notes section on the PHP manual for extract())
Unless you’ve specifically taken measures against it, what’s to stop the user adding something like “&isloggedin=true” onto the GET query string or POST data? Or even worse, “&isadmin=true”!
Instead of using the extract() function, what’s wrong with using an array, a quick foreach and some variable variables?
Here is a very quick example (not perfect by any means, but you should get the idea):
/* * Example of safe variable assignment from the POST data for some login form */ $myVars = array("username","password","rememberMe"); foreach ($myVars as $someVar) { $formVar_$someVar = $_POST[$someVar]; //Will result in: $formVar_username, $formVar_password and $formVar_rememberMe. //$$someVar = $_POST[$someVar]; //This could be used to give you $username, $password and $rememberMe }
The above example stops a malicious user’s extra GET or POST data from actually doing anything, but the resulting variables come out pretty much the same. Adding all your form or URL variables to the array is almost certainly a lot less work (and less of a headache) than it would be to add security measures to your code.
* This is the same lecturer that still uses Netscape Navigator, so it’s hardly surprising that he’s still trying to use code practices that went out of date in the 90’s. He also recently posted this on the Uni LMS:
“I have just discovered that Global Variables has been disabled on the server, which means it will be difficult for you to use session variables to implement your [coursework]. I have requested it be re-enabled [...]“