signature16 Posted May 7, 2007 Share Posted May 7, 2007 Can somebody please explain what this code does? ??? I understand extract breaks apart an array and sets variables, but how do I know what variables are inside of the $_REQUEST Array? extract($_REQUEST); Thanks! Quote Link to comment Share on other sites More sharing options...
btherl Posted May 7, 2007 Share Posted May 7, 2007 The short answer is "You don't". You can do this to find out: $request_vars = array_keys($_REQUEST); Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted May 7, 2007 Share Posted May 7, 2007 it does exactly as you said it does... dont do it... do - not - do - it you don't know what variables are in the REQUEST array, the hacker could put whatever variables he wanted in there... it will eat an insecure script alive... extracting the request array is exactly, and I mean EXACTLY the same as register_globals http://php.net/register_globals I hope you enjoyed my overreacting ! it IS a big security problem though, so... yeah.... dont do it Quote Link to comment Share on other sites More sharing options...
signature16 Posted May 7, 2007 Author Share Posted May 7, 2007 Well....I guess the PHP book I got sucks. I already found two major HTML typos and now this....all in less than an hour. Wasted $50. Thanks. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 7, 2007 Share Posted May 7, 2007 ooowww.. wanna name the Book? Quote Link to comment Share on other sites More sharing options...
signature16 Posted May 7, 2007 Author Share Posted May 7, 2007 PHP & MySQL by Example By Ellie Quigley with Marko Gargenta This is just a piece of the crappy HTML they have in the book. <striing> <?php echo $status; ?> </strong> Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted May 7, 2007 Share Posted May 7, 2007 that sucks man... future reference, o'reilly is your best friend when it comes to books. Quote Link to comment Share on other sites More sharing options...
jitesh Posted May 7, 2007 Share Posted May 7, 2007 This is just like as register global ON for extract($_REQUEST). extract is regarding array Suppose you have array. $any_array = array('fruit'=>'apple','icecreme'=>'chocalate','vegetable'=>'potato'); extract($any_array); Now do like this echo $fruit; // apple echo $icecreme; //chocalate echo $vegitable; // Potato; In sort the key of array will be the variable and the value corresponding to the key will be the value for the variable. extract (PHP 3 >= 3.0.7, PHP 4, PHP 5) extract -- Import variables into the current symbol table from an array Description int extract ( array var_array [, int extract_type [, string prefix]] ) This function is used to import variables from an array into the current symbol table. It takes an associative array var_array and treats keys as variable names and values as variable values. For each key/value pair it will create a variable in the current symbol table, subject to extract_type and prefix parameters. Note: Beginning with version 4.0.5, this function returns the number of variables extracted. Note: EXTR_IF_EXISTS and EXTR_PREFIX_IF_EXISTS were introduced in version 4.2.0. Note: EXTR_REFS was introduced in version 4.3.0. extract() checks each key to see whether it has a valid variable name. It also checks for collisions with existing variables in the symbol table. The way invalid/numeric keys and collisions are treated is determined by the extract_type. It can be one of the following values: EXTR_OVERWRITE If there is a collision, overwrite the existing variable. EXTR_SKIP If there is a collision, don't overwrite the existing variable. EXTR_PREFIX_SAME If there is a collision, prefix the variable name with prefix. EXTR_PREFIX_ALL Prefix all variable names with prefix. Beginning with PHP 4.0.5, this includes numeric variables as well. EXTR_PREFIX_INVALID Only prefix invalid/numeric variable names with prefix. This flag was added in PHP 4.0.5. EXTR_IF_EXISTS Only overwrite the variable if it already exists in the current symbol table, otherwise do nothing. This is useful for defining a list of valid variables and then extracting only those variables you have defined out of $_REQUEST, for example. This flag was added in PHP 4.2.0. EXTR_PREFIX_IF_EXISTS Only create prefixed variable names if the non-prefixed version of the same variable exists in the current symbol table. This flag was added in PHP 4.2.0. EXTR_REFS Extracts variables as references. This effectively means that the values of the imported variables are still referencing the values of the var_array parameter. You can use this flag on its own or combine it with any other flag by OR'ing the extract_type. This flag was added in PHP 4.3.0. If extract_type is not specified, it is assumed to be EXTR_OVERWRITE. Note that prefix is only required if extract_type is EXTR_PREFIX_SAME, EXTR_PREFIX_ALL, EXTR_PREFIX_INVALID or EXTR_PREFIX_IF_EXISTS. If the prefixed result is not a valid variable name, it is not imported into the symbol table. Prefixes are automatically separated from the array key by an underscore character. extract() returns the number of variables successfully imported into the symbol table. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 7, 2007 Share Posted May 7, 2007 Cheers for the copy'n'paste heres the link extract Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.