Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore a critical security vulnerability in PHP through this 22-minute conference presentation from USENIX WOOT '25 that examines the dangerous misuse of PHP's extract function. Learn how this seemingly innocuous function poses security threats comparable to the deprecated register_globals configuration, with researchers from Technische Universität Braunschweig presenting their comprehensive analysis of 28,325 open-source PHP projects. Discover the methodology behind their large-scale static analysis that uncovered 154 injection vulnerabilities and 86 control flow graph hijacking threats, including 60 privilege escalations across real-world applications. Understand the attack vectors enabled by unsafe extract usage and examine specific case studies demonstrating how this "foot-gun" function can compromise application security. Gain insights into the researchers' proposed mitigation strategies and recommendations for PHP's future development to address these inherent dangers, making this essential viewing for PHP developers, security researchers, and anyone involved in web application security.
