Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100651 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66809 invoked from network); 15 Sep 2017 20:49:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Sep 2017 20:49:45 -0000 Authentication-Results: pb1.pair.com header.from=ilija.tovilo@me.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ilija.tovilo@me.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain me.com designates 17.142.194.252 as permitted sender) X-PHP-List-Original-Sender: ilija.tovilo@me.com X-Host-Fingerprint: 17.142.194.252 pv33p00im-asmtp003.me.com Received: from [17.142.194.252] ([17.142.194.252:33979] helo=pv33p00im-asmtp003.me.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 57/97-19300-7EC3CB95 for ; Fri, 15 Sep 2017 16:49:44 -0400 Received: from process-dkim-sign-daemon.pv33p00im-asmtp003.me.com by pv33p00im-asmtp003.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) id <0OWC00M009AMQ200@pv33p00im-asmtp003.me.com> for internals@lists.php.net; Fri, 15 Sep 2017 20:49:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017; t=1505508580; bh=5mNpN8NCEfA/U4c7/LaOCtcqbbAwnSwA8NNWyYw2Dj0=; h=Date:From:To:Message-id:Subject:MIME-version:Content-type; b=nZX0bwkkWI51cTF8lj7gM+xKzojh4aqTrngDlkWmCDSzk9GYcbe/8VQTZ1l57N8RC kIL0hn8NC4q0HJdO4vlQf45Cbl/NMmC5ZgNDDtZrRFFSPQdoDn41IsYRx55rio6VLY e+sVEjRAqmxDDaJ34/1ps2qg7fslagIRzQIsREZWUiwfjRxtMem80FlMq4GaiwFDdL jRjfO00LY8MZigknEHgA/eVpzB3rjdPpQeNjLgw/fgHzoCYQ8hnKS63Ten7W3uK1d1 f/fbmT1b1PG0uCK1kvvNyZjOdQk3gfHfoXaV8yD+Pm1Ci7qDl9/2+Wr1pznLLrCKiX eeXZgZIKydEqQ== Received: from icloud.com ([127.0.0.1]) by pv33p00im-asmtp003.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) with ESMTPSA id <0OWC00IWO9UNIM00@pv33p00im-asmtp003.me.com>; Fri, 15 Sep 2017 20:49:39 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-09-15_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1011 suspectscore=32 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709150306 Date: Fri, 15 Sep 2017 22:41:27 +0200 To: PHP internals , Stanislav Malyshev Message-ID: <9464fa46-8a8e-49ab-82e0-21954dd75aed@Spark> In-reply-to: References: <097578bf-ab74-44cf-a465-dc6fdd50930f@Spark> X-Readdle-Message-ID: 9464fa46-8a8e-49ab-82e0-21954dd75aed@Spark MIME-version: 1.0 Content-type: multipart/alternative; boundary=59bc3cdd_6b8b4567_79ec Subject: Re: [PHP-DEV] [RFC] Deprecate the extract function in PHP 7.3 From: ilija.tovilo@me.com --59bc3cdd_6b8b4567_79ec Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi Stas Dangerous meaning that if given untrusted input someone could mess with t= he behaviour of your code. There are risks and benefits to every solution= . Certainly you=E2=80=99d agree that in some cases the risks outweigh the= benefits. As Sara pointed out, this might not be the case here as there=E2=80=99s n= o obvious way of mimicking =60extract=60s behaviour without introducing a= t least one local variable that could be overwritten. Thanks for the feedback everybody=21 Regards On 15 Sep 2017, 22:10 +0200, Stanislav Malyshev , = wrote: > Hi=21 > > > As a second parameter the =60extract=60 function takes some options t= o > > make this function less dangerous, like =60EXTR=5FSKIP=60 that > > I'd start with specifying what exactly is =22dangerous=22 in this funct= ion. > So far I don't see any specific danger. You can shoot yourself in the > foot, so you can with many other tools in the language. > > > I seriously doubt the usefulness of this function, especially looking= > > at the potential risks. The fact that overwriting the local variables= > > Which risks=3F This function is used by real-life code, and unless you = do > something like extract(=24=5FGET) in global scope I don't see any probl= em. > With extract(=24=5FGET) we could then also propose to remove all file > functions because fopen(=24=5FGET=5B'filename'=5D) or unlink(=24=5FGET=5B= 'filename'=5D) > are also dangerous. But if you use it properly, I don't see what =22ris= ks=22 > are there. > > > Any thoughts=3F > > -1 so far, I don't see what problem you are trying to solve. > > -- > Stas Malyshev > smalyshev=40gmail.com --59bc3cdd_6b8b4567_79ec--