Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is so wrong with extract()?

I was recently reading this thread, on some of the worst PHP practices. In the second answer there is a mini discussion on the use of extract(), and im just wondering what all the huff is about.

I personally use it to chop up a given array such as $_GET or $_POST where I then sanitize the variables later, as they have been conveniently named for me.

Is this bad practice? What is the risk here? What are your thoughts on the use of extract()?

like image 945
barfoon Avatar asked May 06 '09 12:05

barfoon


People also ask

Why do we use extract ()?

The extract() function imports variables into the local symbol table from an array. This function uses array keys as variable names and values as variable values. For each element it will create a variable in the current symbol table. This function returns the number of variables extracted on success.

What is extracting multiple values in PHP?

To copy all of an array's values into variables, use the list( ) construct: list( $variable, ... ) = $ array ; The array's values are copied into the listed variables in the array's internal order.

What is compact function PHP?

The compact() function is an inbuilt function in PHP and it is used to create an array using variables. This function is opposite of extract() function. It creates an associative array whose keys are variable names and their corresponding values are array values. Syntax: array compact("variable 1", "variable 2"...)


2 Answers

I find that it is only bad practice in that it can lead to a number of variables which future maintainers (or yourself in a few weeks) have no idea where they're coming from. Consider this scenario:

extract($someArray); // could be $_POST or anything  /* snip a dozen or more lines */  echo $someVariable; 

Where did $someVariable come from? How can anyone tell?

I don't see the problem in accessing the variables from within the array they started in, so you'd really need to present a good case for using extract() for me to think it's worth it. If you're really concerned about typing out some extra characters then just do this:

$a = $someLongNameOfTheVariableArrayIDidntWantToType;  $a['myVariable']; 

I think the comments here on the security aspects of it are overblown somewhat. The function can take a second parameter that actually gives you fairly good control over the newly created variables, including not overwriting any existing variables (EXTR_SKIP), ONLY overwriting existing variables (so you can create a whitelist) (EXTR_IF_EXISTS), or adding prefixes to the variables (EXTR_PREFIX_ALL).

like image 59
nickf Avatar answered Sep 20 '22 17:09

nickf


Come on now. People blame the tool instead of the user.

That's like talking against unlink() because you can delete files with it. extract() is a function like any other, use it wisely and responsibly. But don't claim it's bad per se, that's just ignorant.

like image 29
dr Hannibal Lecter Avatar answered Sep 20 '22 17:09

dr Hannibal Lecter