[kawsper]

Aren't you able to hijack sessions on most webpages if you stole session cookies?

[odonnellryan]

The real problem is: "extract($_POST); extract($_GET); extract($_COOKIE);"

For more information on extract: http://www.php.net/extract

[cyphunk]

Docu on extract():

    Description 
       Import variables from an array into the current symbol table.
       If flags is not specified, it is assumed to be EXTR_OVERWRITE.

       EXTR_OVERWRITE
          If there is a collision, overwrite the existing variable.

The danger is that any state variables set before the extract($_...)'s can be overwritten arbitrarily. This also makes it essential that any and every variable is instantiated prior to any use.