> > This would prevent most of the vulnerabilities found in the dataset and we cannot think of a valid use
case for allowing this behavior But not all. This function is dangerous on its own. Attack vectors are 99% through superglobals but could come from other sources too. However, this function is handy when used correctly. I agree with everything stated in the email. Using extract() on superglobals is definitely an incorrect usage and should be forbidden. If it's something that we can do then we should do it as soon as possible even if it means breaking some poorly written code. Empty prefix should be a bug and as such I recommend adding an error for this in PHP 8.5 without deprecation or RFC. One more thing that would improve security is to change the default flag to EXTR_SKIP. It would be a major BC though so we could probably only do it in PHP 9.
