The problem is when unexpected variables are overwritten. It would be better to ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		zimbatm on June 24, 2014 \| parent \| context \| favorite \| on: Every C99.php shell is backdoored The problem is when unexpected variables are overwritten. It would be better to have a mandatory list of allowed variables that can be extracted. `$login = '1234'; extract(array('login'=>true, 'messsage'=>'hacker'), 'message'); var_dump($login_, $message); // => $login='1234', $message='hacker'` (pardon my rusty PHP)

ars on June 24, 2014 [–]

> variables are overwritten. It would be better to have a mandatory list of allowed variables that can be extracted.

You can set the EXTR_SKIP flag to do something like that. There are a bunch of other flags as well to control how it works.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact