pretty much the same risk - GET, POST, COOKIE, REQUEST, GLOBALS,and SERVER and in certain situations, even SESSION, globals can and often are easily modified and messed with (even in realtime via proxy server) - Basically, it is *all* what is known as "user provided input" .. and the rule of thumb is NTUI - Never Trust User Input ... just because you have a form with two POST values and nothing else, does *NOT* mean that you will *only* have two variables written in the next page using extract
For example, maybe you want a username and password, and in your code you happen to include a config file which has the admin's password like $adminpass = 'anypassword'; and a user was to create his own form and send it to your server, and you used extract , if the extract of post data happens *AFTER* the config file is included, $_POST['adminpass'] will overwrite $adminpass , and suddenly for that particular login, a user could very easily break in to admin area , unless you check for such a possibility very carefully ..
Even though your form was just $_POST['user'] and $_POST['ppass'] , the $adminpass variable from config.php would be overwritten (as would any other variables that were brought in before you do the extract() ) because the user made his *OWN form on his own webserver and POSTED all that data to your form, so that user could send you a form with 15 - 20 POST parameters and extract will gleefully take every single one of them , create a variable by the post field name, and assign it the value it was given in the input - or overwriting variables thaat you had already included before you run the extract();
it's basically the same results as doing foreach($_POST as $key=>$value) .. it's just plain evil, and anyone using these are just asking for headaches , IMHO .. do it the right way and keep total control of every variable (that also means not setting variables global , and coding your app to work with register_globals = off, if you can possiibly help it) , and you will be happier in the long run , once you get your applicatin out of development and into the real world...
Spend an extra 10 minutes writing out a specific request and assignment for evey post value that you will be using, and anything else sent via POST will be ignored .. this puts a very nice limit on the data you will be having to deal with, so you will be able to work within known parameters that you set with a reasonable assumption that you wont have oither stuff being sent that could overwrite some important variables..
there are fast coders, and there are secure coders, but very vew fast,secure coders , IMHO
even when I have a form that accepts as many as 100 different fields from a POST'ed form, I will specifically call em into my code.. it takes more time than simply doing an extract($_POST) , but I also know I'll have far fewer "holes" where someone could overwrite one of my variables
Bri!