Tobias Schlitt gave me a link to the article 10 Tips That Every PHP Developer Should Know, Part 2 by Jeffery Vaska that recently appeared on phpbuilder.com. I was kinda shocked when I saw Tip #5, that describes howto deal with $_GET and $_POST. It mentions that a developer can use extract($_POST) to eliminate the need of assigning every single entry manually. It also mentions:

This is a matter of
convenience and is not always a best practice.

It completely fails to mention, that using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities.

Gulftech has recently released an advisory for Squirrelmail, that describes exactly such an extract($_POST) flaw.

PHP applications have a very bad reputation when it comes to security issues. This seems unfair to everyone who actually writtes applications, that are not riddled with security holes, but it is quite understandable when you look how some vendors of prominent PHP applications deal with security problems in an irresponsible way.

One of the really bad examples is WordPress. They have a history of silently fixing vulnerabilities, waiting for ages until they release updated versions or not taking security holes seriously at all. Right at the moment, they know for 25 days about SQL injection vulnerabilities, that are exploitable by registered users. Furthermore they know about a WordPress Remote Code execution exploit in the wild, that was posted to public mailinglists 4 days ago and is widely used to exploit WordPress powered blogs.