Robert has several years of professional experience and a PhD in the field of automated software migrations. He is the co-founder and CEO of Numition Ltd., a start-up company specialized in developing software migrators. Robert is a DZone MVB and is not an employee of DZone and has posted 10 posts at DZone. You can read more from them at their website. View Full User Profile

PHP bad practice: the use of extract()

  • submit to reddit

Working with complex data structures in PHP requires the use of associative arrays. Even PHP classes are an extension of this concept. There are always disadvantages when one does not have alternatives (e.g. strictly defined data structures - see “struct” in C), but at least there are lots of built-in functions that work with arrays. Operations such as sorting, searching, merging, iterating with foreach are thus supported out-of-the-box for associative arrays.

One operation is perhaps a little too dynamic in nature, with unexpected side-effects. It is the extract() function.

The problem

According to the documentation, the extract() function imports variables from an array into the current symbol table. In its simplest form, extract(array("a"=>3)) will assign the value 3 to the variable $a.

The problem here is that you need to know what keys the array holds, both when calling the function and maintaining it.

Let us consider this simple function declaration:

function display_user_details($user) {

echo 'User name: '.$user_name."
echo 'User age: '.$user_age."

Calling this function with the argument array("user_name" => "Mike", "user_age" => 20) is a valid operation.

But whenever you call this function, you need to check which key refers to which piece of the user’s data.

So even in its simplest form, the usage of extract() raises issues. Factor in that there are multiple ways of doing the extraction, based on combinations between the $extract_type and $prefix arguments:

  • EXTR_OVERWRITE - if there is a collision, overwrite the existing variable
  • EXTR_SKIP - if there is a collision, don’t overwrite the existing variable
  • EXTR_PREFIX_SAME - if there is a collision, prefix the variable name with $prefix
  • EXTR_PREFIX_ALL - prefix all variable names with $prefix
  • EXTR_PREFIX_INVALID - only prefix invalid/numeric variable names with $prefix
  • EXTR_IF_EXISTS - only overwrite the variable if it already exists in the current symbol table, otherwise do nothing
  • EXTR_PREFIX_IF_EXISTS - only create prefixed variable names if the non-prefixed version of the same variable exists in the current symbol table
  • EXTR_REFS - extracts variables as references

All this suggests that there are several options to choose from but the code becomes harder to understand. The more entries the array has, the more the extract() call does and harder to trace the data becomes.

The solution

My suggestion is to keep it simple. There are at least three alternatives:

  • work directly with the array: $user["user_name"] doesn’t look that bad after all
  • explicitly “import” the variables: $user_name = $user["user_name"]
  • use function arguments with default values: function display_user_details($user_name, $user_age = 18)

Depending on your specific needs, there might be other alternatives. But any of the above three will make your code easier to maintain and extend.

Published at DZone with permission of Robert Enyedi, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Philippe Lhoste replied on Fri, 2008/09/12 - 9:50am

I didn't knew this function (there are so many in PHP!)... and I will keep prudently away from it!
Actually, I don't even see in what cases it could have a valid use... Even after taking a look at the manual page.
In fact, I see this as a great way... of introducing security breaches!

But well, thanks for this article, if I meet this function someday, I will know what it does.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.