I have a legacy app which makes heavy use of the extract() function. It’s good security practice to use the EXTR_SKIP flag (e.g. extract($array_of_stuff, EXTR_SKIP)) when using this on untrusted data, to avoid malicious users overwriting existing variables. Naturally my legacy app does no such thing.
So my question is, is there any way I can set EXTR_SKIP as the default behavior for extract()? I’m still going through and specify it manually, but if I can set that globally I’d prefer to do so now to improve the app’s security while I’m slogging through.
I would say the answer is no. A simple wrapper function is best so grep etc is the way to go on this one. Even if you changed the default behavior that’s a bad idea if you’re running any third party libs that use extract and expect the normal default behavior. If you’re not running third party libs, fair enough, but there’s still no way to do it short of a hack afaik.