Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:100654
Return-Path: <ilija.tovilo@me.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73018 invoked from network); 15 Sep 2017 21:22:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Sep 2017 21:22:38 -0000
Authentication-Results: pb1.pair.com header.from=ilija.tovilo@me.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ilija.tovilo@me.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain me.com designates 17.142.194.252 as permitted sender)
X-PHP-List-Original-Sender: ilija.tovilo@me.com
X-Host-Fingerprint: 17.142.194.252 pv33p00im-asmtp003.me.com  
Received: from [17.142.194.252] ([17.142.194.252:59828] helo=pv33p00im-asmtp003.me.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CD/B8-19300-D944CB95 for <internals@lists.php.net>; Fri, 15 Sep 2017 17:22:38 -0400
Received: from process-dkim-sign-daemon.pv33p00im-asmtp003.me.com by
 pv33p00im-asmtp003.me.com
 (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun  7
 2017)) id <0OWC00500ACKCQ00@pv33p00im-asmtp003.me.com> for
 internals@lists.php.net; Fri, 15 Sep 2017 21:22:34 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017;
	t=1505510554; bh=VJz5gzZV2J20UrkOyIrGMBKTGXNSE+VtlYUFyKaciWc=;
	h=Date:From:To:Message-id:Subject:MIME-version:Content-type;
	b=jkhWtH90RHRytLjxrFxMQu8OefK67/lbcpsyfCngc/71/BOktgbv9JyejgE02jQkI
 pvxiMUe/xvQczjpzJnpyX/3HDAj2dncI0B7Q7EDKg748mRexO+Eb6+7AThI4I3ZgZw
 SwkP0AOluHQc3BYoK8eIQWYbK1NAUOrIZzJoE6L2IXBDiCJ57HR/1bZR7vZhCasLfo
 +5fqBOntdV7FqiHJ1tBZMpv/v30s+ebCORgd4TEHNoWrlP25297jNALZmbS4JrJdD7
 p2QaewFwrrDV0yo+Q/+NWo5JQUlGkG9zcX6W5cX2lSn0LFxlC5UpiIJkqSyt6Ar5m4
 ZsOj2eLXYWuRw==
Received: from icloud.com ([127.0.0.1]) by pv33p00im-asmtp003.me.com
 (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun  7
 2017)) with ESMTPSA id <0OWC00L6EBDHEH30@pv33p00im-asmtp003.me.com>; Fri,
 15 Sep 2017 21:22:32 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,
 definitions=2017-09-15_08:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 clxscore=1015 suspectscore=32 malwarescore=0 phishscore=0 adultscore=0
 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1707230000 definitions=main-1709150314
Date: Fri, 15 Sep 2017 23:20:50 +0200
To: PHP internals <internals@lists.php.net>,
 Stanislav Malyshev <smalyshev@gmail.com>
Message-ID: <d35d5584-4656-451a-a562-1b7beee6a038@Spark>
In-reply-to: <f4544abc-4e74-d3da-470d-4f86bfd56ab8@gmail.com>
References: <097578bf-ab74-44cf-a465-dc6fdd50930f@Spark>
 <a25a7575-e355-40eb-7977-e55145726085@gmail.com>
 <9464fa46-8a8e-49ab-82e0-21954dd75aed@Spark>
 <f4544abc-4e74-d3da-470d-4f86bfd56ab8@gmail.com>
X-Readdle-Message-ID: d35d5584-4656-451a-a562-1b7beee6a038@Spark
MIME-version: 1.0
Content-type: multipart/alternative; boundary=59bc4493_6b8b4567_7ae1
Subject: Re: [PHP-DEV] [RFC] Deprecate the extract function in PHP 7.3
From: ilija.tovilo@me.com

--59bc4493_6b8b4567_7ae1
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

> no, as there is no special risks

There certainly is. No other function (as far as I=E2=80=99m aware) mutat=
es your local symbol table. This means you need to know exactly what symb=
ols are defined and what kind of data you=E2=80=99ll receive when calling=
 =60extract=60. So basically this is only safe right at the beginning of =
your function, and even then it can override your other parameters. Even =
with trusted data this can hardly be considered safe.

=60=60=60
function foo(array =24data, =24bar) =7B
=C2=A0 =C2=A0 extract(=24data);
=C2=A0 =C2=A0 print(=24bar);
=7D

=24this->foo(=5B'bar' =3D> 'baz'=5D, 'bar=E2=80=99); // =E2=80=9Cbaz=22
=60=60=60

Regards


On 15 Sep 2017, 23:05 +0200, Stanislav Malyshev <smalyshev=40gmail.com>, =
wrote:
> Hi=21
>
> > Dangerous meaning that if given untrusted input someone could mess wi=
th
> > the behaviour of your code. There are risks and benefits to every
>
> Same as many other functions. Given untrusted input, unlink() could
> delete files on your hard drive, and file=5Fput=5Fcontents() could over=
write
> your data or send it to unauthorized party. That's not the reason to
> remove these functions.
>
> > solution. Certainly you=E2=80=99d agree that in some cases the risks =
outweigh
> > the benefits.
>
> In some cases, yes. In this case, no, as there is no special risks not
> existing in many other functions. Any function that has side effects
> could do something unexpected when you give it unexpected input. Since
> we're not converting PHP to be purely functional language just yet, the=

> solution is to use functions correctly, not remove them.
> --
> Stas Malyshev
> smalyshev=40gmail.com

--59bc4493_6b8b4567_7ae1--