From 8a0492f839c957aa893b5374d71f26373ff712e6 Mon Sep 17 00:00:00 2001 From: Torben Wilson Date: Fri, 28 Aug 2009 06:43:30 +0000 Subject: [PATCH] Documented what happens when you use extract() on $_FILES with EXTR_SKIP when register_globals is turned on. Also noted that good coding practice means you should never see this. Addresses Bug #45283. Also fixed some minor grammatical problems. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@287827 c90b9560-bf6c-de11-be94-00142212c4b1 --- reference/array/functions/extract.xml | 95 +++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 5 deletions(-) diff --git a/reference/array/functions/extract.xml b/reference/array/functions/extract.xml index 0d7a53875d..5c4ad87a49 100644 --- a/reference/array/functions/extract.xml +++ b/reference/array/functions/extract.xml @@ -37,7 +37,7 @@ prefix parameters. - You must use an associative array, a numerically indexed array + You must use an associative array; a numerically indexed array will not produce results unless you use EXTR_PREFIX_ALL or EXTR_PREFIX_INVALID. @@ -232,7 +232,7 @@ blue, large, sphere, medium ]]> - The $size wasn't overwritten, because we specified + The $size wasn't overwritten because we specified EXTR_PREFIX_SAME, which resulted in $wddx_size being created. If EXTR_SKIP was specified, then $wddx_size wouldn't even have been created. @@ -249,9 +249,11 @@ blue, large, sphere, medium &reftitle.notes; - Do not use extract on untrusted data, like user-input - ($_GET, ...). If you do, for example, if you want to run old code that - relies on register_globals + Do not use extract on untrusted data, like + user input + (i.e. $_GET, $_FILES, etc.). + If you do, for example if you want to run old code that relies + on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract @@ -260,6 +262,89 @@ blue, large, sphere, medium &php.ini;. + + + If you + have register_globals + turned on and you use extract + on $_FILES and + specify EXTR_SKIP, you may be surprised at + the results. + + + + This is not recommended practice and is only documented here for + completeness. The use + of register_globals is + deprecated and calling extract on untrusted + data such as $_FILES is, as noted above, a + potential security risk. If you encounter this issue, it means + that you are using at least two poor coding practices. + + + + +]]> + + + You might expect to see something like the following: + + + + string(10) "somefile.txt" + ["type"]=> + string(24) "application/octet-stream" + ["tmp_name"]=> + string(14) "/tmp/phpgCCPX8" + ["error"]=> + int(0) + ["size"]=> + int(4208) +} +string(14) "/tmp/phpgCCPX8" +]]> + + + However, you would instead see something like this: + + + + + + This is due to the fact that + since register_globals is + turned on, $testfile already exists in the + global scope when extract is called. And + since EXTR_SKIP is + specified, $testfile is not overwritten with + the contents of the $_FILES array + so $testfile remains a string. + Because strings may + be accessed using array syntax and a the non-numeric string + tmp_name is interpreted + as 0, PHP + sees $testfile['tmp_name'] + as $testfile[0]. + + &reftitle.seealso;