1.2.215. Configure Extract¶
The extract() function overwrites local variables when left unconfigured.
Extract imports variables from an array into the local scope. In case of a conflict, that is when a local variable already exists, it overwrites the previous variable.
In fact, extract() may be configured to handle the situation differently : it may skip the conflicting variable, prefix it, prefix it only if it exists, only import overwriting variables… It may also import them as references to the original values.
This analysis reports extract() when it is not configured explicitly. If overwriting is the intended objective, it is not reported.
Always avoid using extract() on untrusted sources, such as $_GET, $_POST, $_FILES, or even databases records.
<?php
// ignore overwriting variables
extract($array, EXTR_SKIP);
// prefix all variables explicitly variables with 'php_'
extract($array, EXTR_PREFIX_ALL, 'php_');
// overwrites explicitly variables
extract($array, EXTR_OVERWRITE);
// overwrites implicitely variables : do we really want that?
extract($array, EXTR_OVERWRITE);
?>
See also extract.
1.2.215.1. Suggestions¶
Always use the second argument of extract(), and avoid using
EXTR_OVERWRITE
1.2.215.2. Specs¶
Short name |
Security/ConfigureExtract |
Rulesets |
|
Exakat since |
1.2.9 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Instant (5 mins) |
Precision |
Very high |
Features |
extract, variable |
Examples |
|
Available in |