什么是错用提取物()? [英] What is so wrong with extract()?
问题描述
我最近读<一个href=\"http://stackoverflow.com/questions/233030/worst-php-practice-found-in-your-experience/233746\">this螺纹,对一些最严重的PHP的做法。
在第二个答案存在于使用提取物()的一个小型的讨论,我只是想知道的所有一怒之下是什么。
I was recently reading this thread, on some of the worst PHP practices. In the second answer there is a mini discussion on the use of extract(), and im just wondering what all the huff is about.
我个人用它砍了一个给定的数组如$ _GET或$ _POST,我后来消毒变量,因为他们已经命名的便利,为我。
I personally use it to chop up a given array such as $_GET or $_POST where I then sanitize the variables later, as they have been conveniently named for me.
这是不好的做法?什么是这里的风险呢?你有什么关于使用提取物()?
Is this bad practice? What is the risk here? What are your thoughts on the use of extract()?
感谢您,
推荐答案
我发现这是唯一不好的做法,因为它可以导致一些变量,未来的维护者(或者你自己在几个星期内)不知道在哪里他们来自哪里。考虑这种情况:
I find that it is only bad practice in that it can lead to a number of variables which future maintainers (or yourself in a few weeks) have no idea where they're coming from. Consider this scenario:
extract($someArray); // could be $_POST or anything
/* snip a dozen or more lines */
echo $someVariable;
在哪里 $ someVariable 从何而来?怎么能知道?
Where did $someVariable come from? How can anyone tell?
我看不出这个问题从阵列中访问这些变量,他们开始在,所以你真的需要present良好的情况下的为的使用提取物(),我认为这是值得的。如果你真的关心打字了一些额外的字符,则只是这样做:
I don't see the problem in accessing the variables from within the array they started in, so you'd really need to present a good case for using extract() for me to think it's worth it. If you're really concerned about typing out some extra characters then just do this:
$a = $someLongNameOfTheVariableArrayIDidntWantToType;
$a['myVariable'];
我觉得这里的评论在它的安全性方面有些夸大了。该功能可以采取的,其实是给予你相当不错的控制权,新创建的变量,包括没有覆盖任何现有的变量( EXTR_SKIP ),第二个参数,只覆盖原有的变量(所以你可以创建一个白名单)( EXTR_IF_EXISTS ),或添加prefixes的变量( EXTR_ preFIX_ALL )。
I think the comments here on the security aspects of it are overblown somewhat. The function can take a second parameter that actually gives you fairly good control over the newly created variables, including not overwriting any existing variables (EXTR_SKIP), ONLY overwriting existing variables (so you can create a whitelist) (EXTR_IF_EXISTS), or adding prefixes to the variables (EXTR_PREFIX_ALL).
这篇关于什么是错用提取物()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
