Sure.
> On Tue, Mar 09, 2004 at 10:38:14AM -0000, Kenneth Schwartz wrote: > > irchtml Tue Mar 9 05:38:14 2004 EDT > > > > Modified files: > > /phpdoc/en/reference/array/functions extract.xml > [snip] > > Log: > > extract: minor revision > > others: use <void/> > > + user-input ($_GET, ...). If you do, for example, if you want to run old > > + code that relies on > > <link linkend="security.registerglobals">register_globals</link> > > temporarily, make sure you use one of the non-overwriting > > - <parameter>extract_type</parameter> values like EXTR_SKIP, and be aware > > - that you should now extract <varname>$_SERVER</varname>, > > - <varname>$_SESSION</varname>, <varname>$_COOKIE</varname>, > > - <varname>$_POST</varname> and <varname>$_GET</varname> in that order. > > + <parameter>extract_type</parameter> values like > > <constant>EXTR_SKIP</constant> > > + and be aware that you should extract <varname>$_GET</varname>, > > + <varname>$_POST</varname>, <varname>$_COOKIE</varname>, > > + <varname>$_SESSION</varname> and <varname>$_SERVER</varname> in that order > > + when using an overwriting <parameter>extract_type</parameter> or in > > + reverse order when using a non-overwriting type. > > Could you please revert that? It advises users to create security holes. > As it is stated before, NEVER use an overwriting type on user-input, > since then anything ($_SERVER, $_SESSION, ...) can easily be > compromised.
