From 71ff7bc597b1c57f75228ad725ec98a419473fe2 Mon Sep 17 00:00:00 2001
From: Stefan Walk <et@php.net>
Date: Fri, 30 Jan 2004 18:09:45 +0000
Subject: [PATCH] Add security warning

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@150175 c90b9560-bf6c-de11-be94-00142212c4b1
---
 reference/array/functions/extract.xml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/reference/array/functions/extract.xml b/reference/array/functions/extract.xml
index bb9782ec4d..078ba19d61 100644
--- a/reference/array/functions/extract.xml
+++ b/reference/array/functions/extract.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.12 $ -->
+<!-- $Revision: 1.13 $ -->
 <!-- splitted from ./en/functions/array.xml, last change in rev 1.2 -->
   <refentry id="function.extract">
    <refnamediv>
@@ -147,6 +147,17 @@
      <function>extract</function> returns the number of variables
      successfully imported into the symbol table.
     </para>
+    <warning>
+     <para>
+      Do not use extract on untrusted data, like user-input ($_GET, ...).
+      If you do it, for example if you want to run old code that relies on
+      <link linkend="security.registerglobals">""register_globals</link>
+      temporarily, make sure you use one of the non-overwriting 
+      <parameter>extract_type</parameter>s like EXTR_SKIP, and be aware that 
+      you should now extract $_SERVER, $_SESSION, $_COOKIE, $_POST and $_GET 
+      in that order.
+     </para>
+    </warning>
     <para>
      A possible use for <function>extract</function> is to import into the
      symbol table variables contained in an associative array returned by