50r Posted November 6, 2012 Share Posted November 6, 2012 Hello freaks, on my way to self teaching oop i have a tutorial that keeps using extract and i have never seen this function used anywhere in all the php scripts that i have seen. so i was wondering if its still a good idea to use it. Quote Link to comment Share on other sites More sharing options...
Jessica Posted November 6, 2012 Share Posted November 6, 2012 Not really, no. Quote Link to comment Share on other sites More sharing options...
Zane Posted November 6, 2012 Share Posted November 6, 2012 (edited) The function only acts as a convenience, there is no real benefit other than that. In my opinon, if you use extract you will loose track of where your variables come from. When I am coding I prefer to know whether it is a POST, SESSION, COOKIE, SERVER or GET variable whenever and wherever I use it.... unless I am creating a new variable with arithmetic purposes.... Such as $e = pow(($_POST['m'] * $_POST['c']), 2); Edited November 6, 2012 by Zane Quote Link to comment Share on other sites More sharing options...
50r Posted November 6, 2012 Author Share Posted November 6, 2012 Thanks jesica and zane you come so quick on all my questions thanks guys. Quote Link to comment Share on other sites More sharing options...
Barand Posted November 6, 2012 Share Posted November 6, 2012 I wouldn't advise its use for $_POST or $_GET. In this case you may just as well have register_globals enabled (not recommended). However, when it comes to something like $row = mysql_fetch_assoc($result) extract($row); then it is far more convenient to echo "$id<br>"; than echo "$row['id']<br>"; Quote Link to comment Share on other sites More sharing options...
jcbones Posted November 6, 2012 Share Posted November 6, 2012 I do use it from time to time, but never for $_POST or $_GET. So I'm with Barand on this one. Quote Link to comment Share on other sites More sharing options...
kicken Posted November 7, 2012 Share Posted November 7, 2012 I use it for my template system. Code a bit like: function DoTemplate($__file, $__vars){ extract($__vars); include($__file); } DoTemplate('somefile.tpl', array( 'title' => 'blah' , 'desc' => 'Some description' )); Then in the template file I can just use the key names directly as variables: <html><head><title><?php echo $title; ?></title></head> <body> <h1><?php echo $title; ?></h1> <p><?php echo $desc; ?></p> </body> </html> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 7, 2012 Share Posted November 7, 2012 I would only recommend it when you know the scope of what variables will be created/overwritten (kicken's example usage) or use it with one of the option flags/prefix that prevents overwriting existing variables. What happens if you have a pagination script that sets up a variable named $page (or any other variable a script might be using - $user, $id, ...) and at some time in the future you or someone else working on the project needs to add a column named page to a database table or the column id in your table isn't the same meaning as the exiting $id variable? Using extract on the data from the query just broke your script and you now have to troubleshoot (or remember) exactly where each variable is being set at. Quote Link to comment Share on other sites More sharing options...
50r Posted November 10, 2012 Author Share Posted November 10, 2012 so its not bad if am not dealing with gets and post Quote Link to comment Share on other sites More sharing options...
Andy123 Posted November 10, 2012 Share Posted November 10, 2012 Personally I don't use it because I think it reduces the readability of the code. I like to clearly be able to identify where a variable came from. In the past I have worked with code that used extract() when fetching data from a database. While I can certainly see that it is convenient to use it in this situation, it also makes me - as a reader of the code, not the writer - have to check the column names of the query to see if they match a certain variable. Otherwise I'd have to figure out it has been injected into the current script somehow. To me the convenience does not justify the cost of readability, but maybe that's just me. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted November 11, 2012 Share Posted November 11, 2012 To expand on PFMaBiSmAd's answer: I would recommend not using it at all. If you really feel the need to use it, use the EXTR_PREFIX_ALL flag. This way you don't overwrite any existing variables, and the prefix can make it obvious where the variable came from: $row = mysql_fetch_assoc($res); extract($row, EXTR_PREFIX_ALL, 'DB_'); echo 'UserID: ' . DB_id; Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2012 Share Posted November 11, 2012 (edited) Here's an example where using extract on a database query result would open a security hole. What if you have a database table search form on your page that is open to sql injection (it's only selecting data from your product/blog/news table after all, how dangerous could that be to your code?) By injecting SELECT ... 'value' AS some_variable_name ... the extract() statement would cause php to do this - $some_variable_name = 'value'; This just allowed someone to set your $loggedin, $admin, $user_name, $user_id ... variable in your code to any value they wanted. A person looking to save some typing by using extract is also likely to leave out escaping data being put into a query statement. Edited November 11, 2012 by PFMaBiSmAd Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.