Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

After reading these comments I am intrigued. Whenever I have used PHP I pretty much always run extract three times:

    extract($_GET, EXTR_PREFIX_ALL|EXTR_REFS, 'gVar');
    extract($_POST, EXTR_PREFIX_ALL|EXTR_REFS, 'pVar');
    extract($_COOKIE, EXTR_PREFIX_ALL|EXTR_REFS, 'cVar');
It makes working with get/post/cookies much easier. All variables are extracted with a prefix... so:

http://www.yyy.com/script.php?hello=world Results with: $gVar_hello being the variables holding 'world'.

Is this poor form?

I previously used: `import_request_variables` - but thats been sidelined.



Why is using $gVar_hello easier than $_GET['hello']? Also $_GET and friends have the benefit of being super global.


It is easier to use in strings, `$blah = "hi $gVar_hello"` rather than $blah = "hi {$_GET['hello']}";`.

Not that it is a massive deal... I guess I just got in the habit when I was younger. Like I said, I always used import_request_variables (with various prefixes).

----

But back to my question - is it bad to use like I have?


First: this could result in:

  echo $blah; // hi <script>alert('foo');</script>
But maybe it's just because you posted an example...

Second: it will double the memory used.

Third: you can't use the variables global anymore


Like you said, I wouldn't use it without first cleaning the input. I guess I use it more out of habit and preferring a straight variable to an array... just feels neater.

Good point on the memory, but I wouldn't think thats a big issue. I haven't tested right now, but I dont remember ever having issues using the $_GET variable after exporting? Not sure if thats what you meant.


If I am not mistaken, PHP is copy-on-write, so if extract just copy value then memory usage wouldn't be doubling.


Well, like most coding bad practices, plenty of which I'm guilty of too, it's fine until it's not -- and then it's really bad.

I can't immediately think of a practical way to make a problem out of that. But, you're making a couple of bets here: you're betting that there never will be a problem with it, and you're betting that the rules in PHP won't change in the future. All those folks that relied on magic_quotes already got boned by that second bet.

So, no, I wouldn't do it that way, but I wouldn't criticize you for it either.


haha yeah that is true, when they said import_request_variables was being removed I was so close to just forgetting the idea of doing what I am doing.


You missed out the sanitizing of the input just for this example, right!?


of course!


  $blah = "hi $_GET[hello]";


Yes this is poor form. Prefixing, you don't have to deal with serious security issues, but this is just a step you really don't have to take--if this is part of your normal "bootstrap" you're likely doing it wrong.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: