Take a look at the code below regarding POST. Which is better?

Thanks!

They're both equally bad from the perspective of SQL injection: http://en.wikipedia.org/wiki/SQL_injection

Even if there's no intentional SQL injection your query will error out if any of the submitted data contains a " in the first example or a ' in the second.

Once you've learned about escaping user submitted data, I would recommend *not* using extract. The PHP manual page itself ( http://www.php.net/extract ) recommends "Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)"

There's no sense using extract() anyway, and it may overwrite variables you have already set up, further opening your code up to abuse.

__________________
Chris Hope's LAMP Blog: http://www.electrictoolbox.com/

Thanks. I had read the PHP manual advisory previously, but since then I have also read a couple of blogs about how great extract() was. But I hadn't thought about it overwriting existing variables, which is not a good thing.

Dave

Funnily enough I've just read a post which talks about SQL injection along with some examples: http://blog.tuvinh.com/top-7-php-security-blunders/

Some other useful stuff in there too.

__________________
Chris Hope's LAMP Blog: http://www.electrictoolbox.com/

That problem is solved by using the EXTR_PREFIX_SAME flag.

__________________
mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0;
Empty set (0.00 sec)

Good point. I've also had another look at the docs and you can also specify what to do with collisions with the extract_type parameter. I still wouldn't use this function myself though.

__________________
Chris Hope's LAMP Blog: http://www.electrictoolbox.com/

Extract is a handy little fella in some situations, no sense in ruling it out; I've written numerous functions in the past where I wanted/needed to return multiple arrays of data. Nest the arrays, return it, and extract it on the other side into it's components. No fuss.