CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

extract() — Dangerous Variable Injection

php CWE-621 OWASP A3:2021 CVSS 9.8 PHP 4.0+ Beginner
debt(d5/e3/b3/t9)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list phpstan, rector, and phpcs — all specialist static analysis tools. The misuse won't cause a syntax error or be caught by a default linter pass; it requires running a dedicated SAST/static analysis tool configured to flag extract() usage.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix metadata is mismatched (it describes extract-method refactoring, not extract()), but the common_mistakes indicate the fix is to remove extract() calls and replace them with explicit variable assignment or use EXTR_PREFIX_ALL — a localised change within the affected function/file, not a cross-cutting refactor.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). While extract() applies across web, cli, and queue-worker contexts, the problematic call sites are individual functions or scripts. Misuse is contained to the scope where extract() is called rather than imposing a system-wide structural constraint. Each instance is a localised problem, not an architectural gravitational pull.

t9 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'catastrophic trap — the obvious way is always wrong' (t9). The misconception field states exactly this: developers believe extract() is a 'convenient way to unpack arrays' — the natural, obvious usage (extract($_POST), extract($_GET)) is precisely the critical security vulnerability. The 'helpful' default behavior (EXTR_OVERWRITE) means the intuitive approach is always the dangerous one, matching the t9 anchor perfectly.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-07 · reviewed by human

Also Known As

extract() PHP extract array to variables

TL;DR

extract() creates local variables from an array, allowing attackers to overwrite existing variables if input is unsanitised.

Explanation

PHP's extract() imports array keys as variable names into the current scope. When called on user-supplied data ($_GET, $_POST), an attacker can inject keys that overwrite existing variables — including security-sensitive ones like $isAdmin or $userId. This is a classic variable injection vulnerability that has caused many historical exploits. Avoid extract() entirely; destructure arrays explicitly or use named keys.

How It's Exploited

If code calls extract($_GET) and then checks if ($isAdmin), an attacker passes ?isAdmin=1 in the URL to gain admin access.

Common Misconception

extract() is a convenient way to unpack arrays into variables. extract() on user-supplied data is a critical security risk — it can overwrite any existing variable in scope including $this, authentication flags, and configuration values. Never use it with untrusted input.

Why It Matters

PHP's extract() injects array keys as variables into the current scope — with user-controlled input it overwrites any existing variable, enabling variable hijacking attacks.

Common Mistakes

  • Using extract($_POST) or extract($_GET) — attacker controls every variable in scope.
  • Using extract() with EXTR_OVERWRITE (the default) on any array that could contain attacker-influenced keys.
  • Not using extract()'s EXTR_PREFIX_ALL flag when extraction is genuinely needed — prefixed variables avoid collision.
  • Trusting 'safe' keys because the array was built internally — over time array contents grow and the assumption breaks.

Code Examples

✗ Vulnerable 
extract($_POST); // user can inject arbitrary variables
✓ Fixed 
$username = $_POST['username'] ?? ''; $email = $_POST['email'] ?? '';
Added 15 Mar 2026
Edited 4 Apr 2026
Views 45

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 2 pings W 1 ping T 0 pings F 0 pings S 2 pings S 1 ping M 0 pings T 1 ping W 0 pings T 2 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S
Agents 1
No pings yesterday
ChatGPT 17 Amazonbot 8 Perplexity 4 Unknown AI 4 Ahrefs 2 Google 2 SEMrush 2 Majestic 1
Also referenced
Input Validation vs Output Encoding 32 register_globals (Legacy Audit) 27
How they use it
crawler 38 crawler_json 1 pre-tracking 1
Related categories
php 6.6k general 1.5k
DEV INTEL Tools & Severity
🟢 Low ⚙ Fix effort: Low
⚡ Quick Fix
When a block of code has a comment explaining what it does, that comment should be the name of an extracted method — the method name makes the comment redundant
📦 Applies To
PHP 4.0+ any web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Comments like // validate address before function blocks; code blocks doing one thing inside larger method
Auto-detectable: ✓ Yes rector phpstan phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
✓ schema.org compliant