extract($_REQUEST) vs register globals

[Gmunky]

Hi. Thanks in advance for all the input..Does anyone know if there are security issues emulating register globals by using the function extract($_REQUEST)? is there a security issue with using extract($_REQUEST) when global virables is turned off???

[premiso]

Do not use register_globals. It is depreciated as of PHP 6 as it should have been from the get go.

 

extract is better, but I would not use it on a SUPER GLOBAL. Just call the array index instead. It is faster than using a variable, and ensure's more security. But yes, extract would be more secure than leaving register_globals on. But extracting still poses the similar threat if your code is not done properly.

[PFMaBiSmAd]

Extract should only be used with the second parameter of EXTR_PREFIX_ALL and a unique prefix so that there is no chance of overwriting your existing program variables, like register_globals did.

 

Let us say the first thing your code on a page does is figure out who is logged in and/or who is an administrator on your site and sets a variable $admin = TRUE, then at some point later you extract($_REQUEST) and I am a hacker and visit your site with ?admin=TRUE on the end of the URL. I just became an administrator on your site.

 

You should also not use $_REQUEST because it combines POST/GET/COOKIE. Think of all the code that has not worked properly because someone forgot that they had a COOKIE by a specific name and they added a form a couple months later that tried to get a form to work that had a field with the same name. If you expect data in $_POST, use $_POST, if you expect data in $_GET, use $_GET, and if you expect data in $_COOKIE, use $_COOKIE. Using $_REQUEST also makes it easier for a hacker because he can just set there changing parameters on the end of the URL in order to send your code various COOKIE values.