Full Disclosure mailing list archives
PHP import_request_variables() vs extract()
From: ascii <ascii () katamail com>
Date: Fri, 09 Mar 2007 01:11:28 +0100
Please note that also extract() will override any variable exluded $GLOBALS but the main difference is that on http://it2.php.net/extract you are advised to do not use "extract() against untrusted data, like user-input ($_GET, ...)." [quote] if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini [/quote] Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw: [quote] If there is a collision, don't overwrite the existing variable. [/quote] Using extract() with EXTR_SKIP will give you something like GLOBALS ON that is safe if compared with what happens using extract($_GET); or import_request_variables('G'); --- >8 --- >8 --- >8 --- >8 --- test1.php --- >8 --- >8 --- >8 --- >8 <?php extract($_GET); print_r($_SERVER); ?> --- >8 --- >8 --- >8 --- >8 --- --------- --- >8 --- >8 --- >8 --- >8 Demo: test1.php?SERVER=abc Expected result: the _SERVER array will became a string The morale is that while an insecure usage of extract() by a developer could be his fault there is no secure usage of import_request_variables() and this is surely a PHP fault. Regards, Francesco 'ascii' Ongaro http://www.ush.it/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PHP import_request_variables() vs extract() ascii (Mar 08)