{ "slug": "compact_function", "term": "compact() & extract() — Variable Packing", "category": "php", "difficulty": "beginner", "short": "compact() builds an array from named variables; extract() does the reverse — both are dangerous when used with user-controlled input.", "long": "compact('name', 'email') returns ['name' => $name, 'email' => $email] — handy for passing local variables to templates. extract($array) imports array keys as variables into the current scope. The critical danger: extract($_POST) injects arbitrary variable names, potentially overwriting $isAdmin, $authenticated, or any other security variable. This is the root of the register_globals disaster. Never call extract() on user-supplied data. compact() with undefined variable names triggers a notice in PHP 7.3+ and an error in 8.0+. Prefer explicit assignments for clarity and safety.", "aliases": [ "compact()", "PHP compact", "variable to array" ], "tags": [ "php", "arrays", "syntax" ], "misconception": "compact() is a safe way to build arrays from variables. compact() silently ignores undefined variables in PHP 7 (only a notice) — if a variable name is misspelled, the resulting array simply omits it without error, causing hard-to-trace missing-key bugs.", "why_it_matters": "compact() dynamically builds arrays from variable names as strings — it creates magic string coupling between variable names and array keys, breaking refactoring tools and creating hard-to-find bugs.", "common_mistakes": [ "Renaming a variable without updating the compact() call — the key silently disappears from the result.", "Using compact() for view data instead of explicit array literals — harder to read and trace.", "Not realising compact() silently ignores undefined variables in PHP 7.3+, returning NULL in older versions.", "Using compact() with user-controlled variable names — potential information disclosure if the variable exists." ], "when_to_use": [], "avoid_when": [], "related": [ "register_globals", "mass_assignment", "superglobals" ], "prerequisites": [ "php_data_types", "array_functions", "closures" ], "refs": [ "https://www.php.net/manual/en/function.extract.php" ], "bad_code": "extract($_POST); // injects arbitrary variables — $isAdmin could be overwritten", "good_code": "$name = htmlspecialchars($_POST['name'] ?? '');\n$email = filter_var($_POST['email'] ?? '', FILTER_VALIDATE_EMAIL);", "quick_fix": "Avoid compact() and extract() in production code — they hide variable names from static analysis, break refactoring tools, and make code harder to understand at a glance", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/compact_function", "html_url": "https://codeclaritylab.com/glossary/compact_function", "json_url": "https://codeclaritylab.com/glossary/compact_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[compact() & extract() — Variable Packing](https://codeclaritylab.com/glossary/compact_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/compact_function" } } } }