Comments on: The Problem With ‘extract’ http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/ News, opinion, and fresh thinking for web developers and designers. The official podcast of sitepoint.com. Mon, 23 Nov 2009 05:10:48 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Design By Tim » Blog Archive » Rethinking extract() By Convention http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-12946 Design By Tim » Blog Archive » Rethinking extract() By Convention Fri, 20 Jan 2006 13:53:27 +0000 1662916895#comment-12946 [...] Since posting Learn To extract(); I have gotten a lot of great criticism that has helped me revise my thinking of the uses for extract(). Along with reading The Problem With ‘extract’ on SitePoint - here is my conclusion to when/where to use extract. Thanks to Danny, Oscar, Sandy, Ed, and Mitchell for their insights on the proper use of extract(). [...] [...] Since posting Learn To extract(); I have gotten a lot of great criticism that has helped me revise my thinking of the uses for extract(). Along with reading The Problem With ‘extract’ on SitePoint – here is my conclusion to when/where to use extract. Thanks to Danny, Oscar, Sandy, Ed, and Mitchell for their insights on the proper use of extract(). [...]

]]> By: SitePoint Blogs » Blog Archive » How Readable is Your PHP? http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-8258 SitePoint Blogs » Blog Archive » How Readable is Your PHP? Thu, 25 Aug 2005 05:03:36 +0000 1662916895#comment-8258 [...] One of the entries is titled Every variable should start somewhere. In a previous blog post, I mentioned how frustrating it was to be trying to read some code and asking yourself, ‘Where does this variable come from?!’. Alan labels PHP language constructs such as extract and eval as ‘evil’ because they disguise and obfuscate code. That isn’t news. However he makes a valid point–that using these types of shortcuts is not a security problem in itself–the security problem occurs when your code is too hard to understand and you inadvertently introduce additional problems. [...] [...] One of the entries is titled Every variable should start somewhere. In a previous blog post, I mentioned how frustrating it was to be trying to read some code and asking yourself, ‘Where does this variable come from?!’. Alan labels PHP language constructs such as extract and eval as ‘evil’ because they disguise and obfuscate code. That isn’t news. However he makes a valid point–that using these types of shortcuts is not a security problem in itself–the security problem occurs when your code is too hard to understand and you inadvertently introduce additional problems. [...]

]]> By: Vaska http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-8185 Vaska Sun, 21 Aug 2005 11:39:25 +0000 1662916895#comment-8185 I was THE particular author and I made a mistake. Writing that article got a little messy as originally it wanted to be something else. As you will notice, we pulled tip #5 from part two as it never should have been there...there was already a tip #5 in part one. Originally there were 15 tips and my plan was to use the best 10. As the previous poster surmises, I too believe that extract() is best used 'under controlled cirucumstances'. The example that I gave, with globals, was simply not a good one. One of the things that I really valued a few years ago (well, I still do) are the discussions surrounding proper and improper use of various concepts. It's darn informative - if you can follow along. Originally, the article in question had a working title of 'Problems of Style' that wanted to point out these things (the 10 tips) so that newbs could better recognize the variations because everybody does things slightly differently. However, some methods are certainly better than others. ;) I was THE particular author and I made a mistake. Writing that article got a little messy as originally it wanted to be something else. As you will notice, we pulled tip #5 from part two as it never should have been there…there was already a tip #5 in part one. Originally there were 15 tips and my plan was to use the best 10.

As the previous poster surmises, I too believe that extract() is best used ‘under controlled cirucumstances’. The example that I gave, with globals, was simply not a good one.

One of the things that I really valued a few years ago (well, I still do) are the discussions surrounding proper and improper use of various concepts. It’s darn informative – if you can follow along. Originally, the article in question had a working title of ‘Problems of Style’ that wanted to point out these things (the 10 tips) so that newbs could better recognize the variations because everybody does things slightly differently. However, some methods are certainly better than others. ;)

]]> By: Dorsey http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-8164 Dorsey Sat, 20 Aug 2005 01:53:27 +0000 1662916895#comment-8164 I use extract() under controlled conditions such as the previous one, where I'm putting the values from a result set into local variables for convenience. I fail to see the confusion here: the SELECT statement clearly lists the variable names; my old buddy extract() saves me the effort of decorating the variable names with $row['column_name'] everywhere. I do NOT use this on any of the globals, as I said, but only under controlled circumstances, and enjoy the convenience it offers. I use extract() under controlled conditions such as the previous one, where I’m putting the values from a result set into local variables for convenience. I fail to see the confusion here: the SELECT statement clearly lists the variable names; my old buddy extract() saves me the effort of decorating the variable names with $row['column_name'] everywhere. I do NOT use this on any of the globals, as I said, but only under controlled circumstances, and enjoy the convenience it offers.

]]> By: Ramon Sosa http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-8149 Ramon Sosa Fri, 19 Aug 2005 15:39:52 +0000 1662916895#comment-8149 I personally use extract in: 1){ while($row=mysql_fetch_assoc($result)){ extract($row); include 'letter_to_clients_tpl.php'; } } ?> ///letter_to_clients_tpl.php //Begin Template Dear customer: Some notificacions. Sincerely.. //End template I personally use extract in:
1){
while($row=mysql_fetch_assoc($result)){
extract($row);
include ‘letter_to_clients_tpl.php’;
}

}
?>

///letter_to_clients_tpl.php
//Begin Template

Dear customer:

Some notificacions.

Sincerely..

//End template

]]> By: Etnu http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-2385 Etnu Tue, 30 Nov 1999 00:00:00 +0000 1662916895#comment-2385 <p>I've been hard pressed to find any real reason why you'd want to use extract, as it really doesn't gain you anything. Sure, it might be less to type out ($Variable vs. $Array['Variable']), but is it really worth all the confusion?</p> <p>There is only one practical use that I can think of, and that's if you pass arguments into a function in the form of an array (because you've got a ton of parameters). Something like:</p> <code lang="php"> function DoStuff($Args) { $FirstArg = 0; $SecondArg = ''; $ThirdArg = null; ... $ArgumentNumberTwenty = 'Wow!'; extract($Args,EXTR_IF_EXISTS) ... }</code><p>This would save the hassle of having to use isset() on each array element. Of course, you could also achieve this same thing using array_merge with the overwrite flag set, but that's just a matter of style preference.</p> I’ve been hard pressed to find any real reason why you’d want to use extract, as it really doesn’t gain you anything. Sure, it might be less to type out ($Variable vs. $Array['Variable']), but is it really worth all the confusion?

There is only one practical use that I can think of, and that’s if you pass arguments into a function in the form of an array (because you’ve got a ton of parameters). Something like:

function DoStuff($Args) { $FirstArg = 0; $SecondArg = ''; $ThirdArg = null; ... $ArgumentNumberTwenty = 'Wow!'; extract($Args,EXTR_IF_EXISTS) ... }

This would save the hassle of having to use isset() on each array element. Of course, you could also achieve this same thing using array_merge with the overwrite flag set, but that’s just a matter of style preference.

]]> By: Dr Livingston http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-2386 Dr Livingston Tue, 30 Nov 1999 00:00:00 +0000 1662916895#comment-2386 <p>Much like eval() I have never used extract() either. Wouldn't touch them with a barge pole, but I thank you for being it to the attention of other developers who may be using extract() without knowingly introduce a security hole in their scripts.</p> <p>My thoughts are just to ignore these two functions, as there are other alternatives and work arounds you can use, just as cleanly :)</p> Much like eval() I have never used extract() either. Wouldn’t touch them with a barge pole, but I thank you for being it to the attention of other developers who may be using extract() without knowingly introduce a security hole in their scripts.

My thoughts are just to ignore these two functions, as there are other alternatives and work arounds you can use, just as cleanly :)

]]> By: Mike Willbanks http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-2387 Mike Willbanks Tue, 30 Nov 1999 00:00:00 +0000 1662916895#comment-2387 <p>Actually there is a very good use for extract that many people do not see...<br /> If you built a template system there is an extremely good use.</p> <p>My templates simply work by running a page and extracting the variables to it...<br /> Such as this:<br /> $tpl->SetVariable('something', $somevar);<br /> now what happens is during the template loading (they are simply php templates.. you can run php but it is in a sandbox so to speak) and the variables that have been set are extracted to it.</p> <p>But indeed you have to set your own variables to make it work.</p> Actually there is a very good use for extract that many people do not see…
If you built a template system there is an extremely good use.

My templates simply work by running a page and extracting the variables to it…
Such as this:
$tpl->SetVariable(’something’, $somevar);
now what happens is during the template loading (they are simply php templates.. you can run php but it is in a sandbox so to speak) and the variables that have been set are extracted to it.

But indeed you have to set your own variables to make it work.

]]> By: mwmitchell http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-2388 mwmitchell Tue, 30 Nov 1999 00:00:00 +0000 1662916895#comment-2388 <p>Hmm, OK one good use: If you have a PHP based template class. In the method that actually includes the template file... If you use extract (extract($this->template_data)), then you expose only the variables needed. If you use a loop, then you expose the $key/$val variables to the templates variable scope. What happens if someone has assigned a variable named 'key' or 'val'? It gets squashed by your foreach loop. Not with extract().</p> <p>Matt</p> Hmm, OK one good use: If you have a PHP based template class. In the method that actually includes the template file… If you use extract (extract($this->template_data)), then you expose only the variables needed. If you use a loop, then you expose the $key/$val variables to the templates variable scope. What happens if someone has assigned a variable named ‘key’ or ‘val’? It gets squashed by your foreach loop. Not with extract().

Matt

]]> By: Sketch http://www.sitepoint.com/blogs/2005/08/15/the-problem-with-extract/comment-page-1/#comment-2389 Sketch Tue, 30 Nov 1999 00:00:00 +0000 1662916895#comment-2389 <p>Not to mention that extract() is implicitly identical to setting register_globals to enabled.</p> Not to mention that extract() is implicitly identical to setting register_globals to enabled.

]]>