[wp-trac] [WordPress Trac] #22400: Remove all, or at least most, uses of extract() within WordPress
WordPress Trac
noreply at wordpress.org
Tue May 13 15:19:34 UTC 2014
#22400: Remove all, or at least most, uses of extract() within WordPress
-------------------------------------------------+-------------------------
Reporter: Viper007Bond | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future
Component: General | Release
Severity: normal | Version: 3.4.2
Keywords: westi-likes needs-testing has-patch | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by rzen):
Replying to [comment:48 jmlapam]:
> To my knowledge extract() takes all params from array so it could be
very bad to use it when datas come from user. The documentation says
extract can take some additional args to avoid bad behavior e.g prefix.
>
> My question regards shortcodes. I use them all the time so do you
recommend to remove extract from all our shortcode callbacks?
Yes, you should absolutely remove uses of `extract()` for
[http://josephscott.org/archives/2009/02/i-dont-like-phps-extract-
function/ the same reasons highlighted at the start of the ticket]. That
said, unless you're doing something really strange within your shortcode
function that somehow makes use of ''all'' available variables, or you're
using global variables which could be overridden, you need not be too
concerned about users passing in something that will be extracted. Even
so, you'll be happier without extract. :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/22400#comment:49>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list