et Fri Jan 30 13:09:45 2004 EDT
Modified files:
/phpdoc/en/reference/array/functions extract.xml
Log:
Add security warning
http://cvs.php.net/diff.php/phpdoc/en/reference/array/functions/extract.xml?r1=1.12&r2=1.13&ty=u
Index: phpdoc/en/reference/array/functions/extract.xml
diff -u phpdoc/en/reference/array/functions/extract.xml:1.12
phpdoc/en/reference/array/functions/extract.xml:1.13
--- phpdoc/en/reference/array/functions/extract.xml:1.12 Mon Dec 15 11:47:04
2003
+++ phpdoc/en/reference/array/functions/extract.xml Fri Jan 30 13:09:45 2004
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.12 $ -->
+<!-- $Revision: 1.13 $ -->
<!-- splitted from ./en/functions/array.xml, last change in rev 1.2 -->
<refentry id="function.extract">
<refnamediv>
@@ -147,6 +147,17 @@
<function>extract</function> returns the number of variables
successfully imported into the symbol table.
</para>
+ <warning>
+ <para>
+ Do not use extract on untrusted data, like user-input ($_GET, ...).
+ If you do it, for example if you want to run old code that relies on
+ <link linkend="security.registerglobals">""register_globals</link>
+ temporarily, make sure you use one of the non-overwriting
+ <parameter>extract_type</parameter>s like EXTR_SKIP, and be aware that
+ you should now extract $_SERVER, $_SESSION, $_COOKIE, $_POST and $_GET
+ in that order.
+ </para>
+ </warning>
<para>
A possible use for <function>extract</function> is to import into the
symbol table variables contained in an associative array returned by
