Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is easier to use in strings, `$blah = "hi $gVar_hello"` rather than $blah = "hi {$_GET['hello']}";`.

Not that it is a massive deal... I guess I just got in the habit when I was younger. Like I said, I always used import_request_variables (with various prefixes).

----

But back to my question - is it bad to use like I have?



First: this could result in:

  echo $blah; // hi <script>alert('foo');</script>
But maybe it's just because you posted an example...

Second: it will double the memory used.

Third: you can't use the variables global anymore


Like you said, I wouldn't use it without first cleaning the input. I guess I use it more out of habit and preferring a straight variable to an array... just feels neater.

Good point on the memory, but I wouldn't think thats a big issue. I haven't tested right now, but I dont remember ever having issues using the $_GET variable after exporting? Not sure if thats what you meant.


If I am not mistaken, PHP is copy-on-write, so if extract just copy value then memory usage wouldn't be doubling.


Well, like most coding bad practices, plenty of which I'm guilty of too, it's fine until it's not -- and then it's really bad.

I can't immediately think of a practical way to make a problem out of that. But, you're making a couple of bets here: you're betting that there never will be a problem with it, and you're betting that the rules in PHP won't change in the future. All those folks that relied on magic_quotes already got boned by that second bet.

So, no, I wouldn't do it that way, but I wouldn't criticize you for it either.


haha yeah that is true, when they said import_request_variables was being removed I was so close to just forgetting the idea of doing what I am doing.


You missed out the sanitizing of the input just for this example, right!?


of course!


  $blah = "hi $_GET[hello]";




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: