CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

compact() & extract() — Variable Packing

php CWE-473 OWASP A3:2021 PHP 5.0+ Beginner
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). PHPStan and Psalm can detect some compact() issues, but as noted in detection_hints, 'PHPStan cannot detect variable existence after extract()' — the silent omission of undefined variables in compact() is similarly hard to catch statically since the tool must track variable scope and string-name matching. Standard linters flag usage but not the subtle bugs.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix indicates replacing compact() with explicit array literals — this is straightforward within a single file/function, but requires identifying all variable names that should be in the array and writing them out explicitly. Not a one-liner, but contained to the call site.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). While compact() applies across all PHP contexts (web/cli/queue), its damage is localised to individual call sites. It doesn't create architectural coupling — each usage can be fixed independently. The burden is mostly that refactoring tools can't rename variables referenced as strings, affecting only that specific code path.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states the trap: compact() 'silently ignores undefined variables in PHP 7 (only a notice)' — this contradicts reasonable expectations that building an array from named variables would error on missing variables. A developer from other languages would expect a runtime error, not silent omission. The string-based coupling also breaks IDE refactoring in ways developers don't anticipate.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

compact() PHP compact variable to array

TL;DR

compact() builds an array from named variables; extract() does the reverse — both are dangerous when used with user-controlled input.

Explanation

compact('name', 'email') returns ['name' => $name, 'email' => $email] — handy for passing local variables to templates. extract($array) imports array keys as variables into the current scope. The critical danger: extract($_POST) injects arbitrary variable names, potentially overwriting $isAdmin, $authenticated, or any other security variable. This is the root of the register_globals disaster. Never call extract() on user-supplied data. compact() with undefined variable names triggers a notice in PHP 7.3+ and an error in 8.0+. Prefer explicit assignments for clarity and safety.

Common Misconception

compact() is a safe way to build arrays from variables. compact() silently ignores undefined variables in PHP 7 (only a notice) — if a variable name is misspelled, the resulting array simply omits it without error, causing hard-to-trace missing-key bugs.

Why It Matters

compact() dynamically builds arrays from variable names as strings — it creates magic string coupling between variable names and array keys, breaking refactoring tools and creating hard-to-find bugs.

Common Mistakes

  • Renaming a variable without updating the compact() call — the key silently disappears from the result.
  • Using compact() for view data instead of explicit array literals — harder to read and trace.
  • Not realising compact() silently ignores undefined variables in PHP 7.3+, returning NULL in older versions.
  • Using compact() with user-controlled variable names — potential information disclosure if the variable exists.

Code Examples

✗ Vulnerable 
extract($_POST); // injects arbitrary variables — $isAdmin could be overwritten
✓ Fixed 
$name  = htmlspecialchars($_POST['name'] ?? '');
$email = filter_var($_POST['email'] ?? '', FILTER_VALIDATE_EMAIL);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 16

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 3 Unknown AI 3 Google 2 Ahrefs 1
Also referenced
register_globals (Legacy Audit) 27 Mass Assignment 27 Superglobals ($_GET, $_POST, $_SERVER…) 16
How they use it
crawler 13 crawler_json 1 pre-tracking 1
Related categories
php 6.6k security 4.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Avoid compact() and extract() in production code — they hide variable names from static analysis, break refactoring tools, and make code harder to understand at a glance
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
compact() in controller view() calls; extract() on database result or request data; PHPStan cannot detect variable existence after extract()
Auto-detectable: ✓ Yes phpstan psalm phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Low ✗ Manual fix Fix: Low Context: Function
✓ schema.org compliant