if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini
Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw: If there is a collision, don't overwrite the existing variable.
Using extract() with EXTR_SKIP will give you something like GLOBALS ON that is safe if compared with what happens using extract($_GET); or import_request_variables('G');
Demo: test1.php?SERVER=abc Expected result: the _SERVER array will became a string
The morale is that while an insecure usage of extract() by a developer could be his fault there is no secure usage of import_request_variables() and this is surely a PHP fault.
