What risks are there in using extracted PHP superglobals?

Question

Hola usando estas funciones, que riesgo corro en tener problemas de seguridad, es necesesario usar extract() o hay alguna manera mejor de convertir las variables superglobales (array) en trozos de variables.

---

Good, there is some risk in using the function extract in the superglobal variables as $_POS and $_GET, I work of the following way.

There is risk of SQL INJECTION or there is an alternative to extract

if(get_magic_quotes_gpc()) {
    $_GET = stripslashes($_GET);
    $_POST =stripslashes($_POST);
}

function vars_globals($value = '') {
    if(is_array($value))
        $r = &$value;
    else
        parse_str($value, $r);

    return  $r;
}

$r = vars_globals($_GET);

extract($r, EXTR_SKIP);

Answer 1

Yes there is a risk. You don't want to blindly import user input into your symbol table. You should take the time to validate and/or sanitize user input. The filter_var function can help with this.

When inserting into a database, use the driver's escape mechanism to eliminate the possibility of injection. If you're using mysql_* functions, you'd use mysql_real_escape_string. However, it is much better to use PDO and parameterized queries for this.