parse_str() is therefore capable of the same evil that 'extract()' is.

Unfortunately I maintain some code that loves 'extract()' :-(