Dynamically Typed has a new post today talking about some of the issues that can be cause by using extract in PHP.

In news over the weekend, Stefan Esser over on the PHP Security Blog 10 Tips That Every PHP Developer Should Know, Part 2 (part of a two part series).

Apart from the fact the article's author Jeffery Vaska can't seem to count to ten (thanks Jules for spotting that), the article contains some dubious advice as far as Stefan is concerned, and he exception to one tip in particular, tip 5 (the second tip 5; we're genorously given two tips labelled 'tip 5') which explains the use of the extract language construct to extract the contents of the $_POST variable to local variables.

Mostly, this debate gets back to the same kind of thing that register_globals deals with - lack of control over what the variables initial values really are. That and the difficulty of trying to figure out where variables are coming from can cause some headaches down the line...