Continuation of my last comment... using extract might be okay if we used extract( $this->handler_vars, EXTR_SKIP ) .. which will not overwrite existing variables, prevent global variable security risks.** -- Benjamin Hutchins Phone: 1-978-415-4119 Cell: 1-207-459-8142 Fax: 1-925-905-4576
On Tue, Feb 10, 2009 at 11:14 PM, Benjamin Hutchins <[email protected]>wrote: > I wouldn't worry about losing your place, seeing how you know there is an > extract it's easy to determine where variables are being created. However, > I'd be worried about the security when we use extract() of handler_vars. > Users could easily post parameters such as _POST and have it be replaced > (seeing how we use handler_vars this isn't a major security risk), but if > you attempted to use _SESSION if might pose a more serious threat. > > > > On Tue, Feb 10, 2009 at 9:52 PM, Arthus Erea <[email protected]>wrote: > >> I agree. >> The use of extract() has always puzzled me. It makes it harder to know >> what we're dealing with. >> >> I'd throw in a beheading for good measure... >> >> On Feb 10, 2009, at 9:49 PM, Chris Meller wrote: >> >> It's done this way because someone did it once and no one ever slapped >> them hard enough. >> >> extract() is obviously the way to generate variables in the local scope >> for themes. Any other usage should get you shot. If you're extract()'ing >> submitted data (like handler_vars), you should get shot and stabbed. >> >> On Tue, Feb 10, 2009 at 9:45 PM, Michael Harris < >> [email protected]> wrote: >> >>> >>> We use extract() in several places in Habari, which at the least makes >>> the code difficult to follow. I think it's legitimate in the theme >>> engines, but is there any reason it's used in Comments::get(), >>> EventLog::get(), Theme::act_display(), and Users::get() ? Don't we >>> know what's possible to be passed, and can therefore get them directly >>> from the array ? Yes, it's a bit more code, but it would be clearer. >>> >>> This is a genuine question, and I'd be more than happy for someone to >>> tell me "It's done this way because ..." and learn something. >>> >>> -- >>> Michael C. Harris, School of CS&IT, RMIT University >>> http://twofishcreative.com/michael/blog >>> IRC: michaeltwofish #habari >>> >>> >>> >> >> >> >> >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
