On Tue, Mar 09, 2004 at 10:38:14AM -0000, Kenneth Schwartz wrote: > irchtml Tue Mar 9 05:38:14 2004 EDT > > Modified files: > /phpdoc/en/reference/array/functions extract.xml [snip] > Log: > extract: minor revision > others: use <void/> > + user-input ($_GET, ...). If you do, for example, if you want to run old > + code that relies on > <link linkend="security.registerglobals">register_globals</link> > temporarily, make sure you use one of the non-overwriting > - <parameter>extract_type</parameter> values like EXTR_SKIP, and be aware > - that you should now extract <varname>$_SERVER</varname>, > - <varname>$_SESSION</varname>, <varname>$_COOKIE</varname>, > - <varname>$_POST</varname> and <varname>$_GET</varname> in that order. > + <parameter>extract_type</parameter> values like <constant>EXTR_SKIP</constant> > + and be aware that you should extract <varname>$_GET</varname>, > + <varname>$_POST</varname>, <varname>$_COOKIE</varname>, > + <varname>$_SESSION</varname> and <varname>$_SERVER</varname> in that order > + when using an overwriting <parameter>extract_type</parameter> or in > + reverse order when using a non-overwriting type.
Could you please revert that? It advises users to create security holes. As it is stated before, NEVER use an overwriting type on user-input, since then anything ($_SERVER, $_SESSION, ...) can easily be compromised.
