提取()有什么问题? [英] What is so wrong with extract()?

问题描述

我最近正在阅读这个主题，在一些最糟糕的 PHP 实践.在第二个答案中有一个关于 extract() 使用的小型讨论，我只是想知道所有的愤怒是关于什么的.

I was recently reading this thread, on some of the worst PHP practices. In the second answer there is a mini discussion on the use of extract(), and im just wondering what all the huff is about.

我个人使用它来切分给定的数组，例如 $_GET 或 $_POST，然后我稍后在其中清理变量，因为它们已经方便地为我命名.

I personally use it to chop up a given array such as $_GET or $_POST where I then sanitize the variables later, as they have been conveniently named for me.

这是不好的做法吗?这里有什么风险?您对 extract() 的使用有何看法?

Is this bad practice? What is the risk here? What are your thoughts on the use of extract()?

推荐答案

我发现这只是不好的做法，因为它可能导致许多未来的维护者(或几周后的您自己)不知道在哪里他们来自.考虑这种情况:

I find that it is only bad practice in that it can lead to a number of variables which future maintainers (or yourself in a few weeks) have no idea where they're coming from. Consider this scenario:

extract($someArray); // could be $_POST or anything

/* snip a dozen or more lines */

echo $someVariable;

$someVariable 从何而来?别人怎么知道?

Where did $someVariable come from? How can anyone tell?

我没有看到从变量开始的数组中访问变量的问题，因此您确实需要使用 extract() 为提供一个很好的案例代码> 让我觉得值得.如果你真的担心输入一些额外的字符，那么就这样做:

I don't see the problem in accessing the variables from within the array they started in, so you'd really need to present a good case for using extract() for me to think it's worth it. If you're really concerned about typing out some extra characters then just do this:

$a = $someLongNameOfTheVariableArrayIDidntWantToType;

$a['myVariable'];

我认为这里关于它的安全方面的评论有些夸大其词.该函数可以采用第二个参数，实际上可以让您很好地控制新创建的变量，包括不覆盖任何现有变量(EXTR_SKIP)，仅覆盖现有变量(因此您可以创建白名单)(EXTR_IF_EXISTS)，或为变量添加前缀(EXTR_PREFIX_ALL).

I think the comments here on the security aspects of it are overblown somewhat. The function can take a second parameter that actually gives you fairly good control over the newly created variables, including not overwriting any existing variables (EXTR_SKIP), ONLY overwriting existing variables (so you can create a whitelist) (EXTR_IF_EXISTS), or adding prefixes to the variables (EXTR_PREFIX_ALL).

这篇关于提取()有什么问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！