{ "slug": "extract_function", "term": "extract() — Dangerous Variable Injection", "category": "php", "difficulty": "beginner", "short": "extract() creates local variables from an array, allowing attackers to overwrite existing variables if input is unsanitised.", "long": "PHP's extract() imports array keys as variable names into the current scope. When called on user-supplied data ($_GET, $_POST), an attacker can inject keys that overwrite existing variables — including security-sensitive ones like $isAdmin or $userId. This is a classic variable injection vulnerability that has caused many historical exploits. Avoid extract() entirely; destructure arrays explicitly or use named keys.", "aliases": [ "extract()", "PHP extract", "array to variables" ], "tags": [ "php", "security", "arrays" ], "misconception": "extract() is a convenient way to unpack arrays into variables. extract() on user-supplied data is a critical security risk — it can overwrite any existing variable in scope including $this, authentication flags, and configuration values. Never use it with untrusted input.", "why_it_matters": "PHP's extract() injects array keys as variables into the current scope — with user-controlled input it overwrites any existing variable, enabling variable hijacking attacks.", "common_mistakes": [ "Using extract($_POST) or extract($_GET) — attacker controls every variable in scope.", "Using extract() with EXTR_OVERWRITE (the default) on any array that could contain attacker-influenced keys.", "Not using extract()'s EXTR_PREFIX_ALL flag when extraction is genuinely needed — prefixed variables avoid collision.", "Trusting 'safe' keys because the array was built internally — over time array contents grow and the assumption breaks." ], "when_to_use": [], "avoid_when": [], "related": [ "register_globals", "input_validation" ], "prerequisites": [ "refactoring", "long_method", "single_responsibility" ], "refs": [ "https://www.php.net/manual/en/function.extract.php", "https://owasp.org/www-community/vulnerabilities/PHP_File_Inclusion" ], "bad_code": "extract($_POST); // user can inject arbitrary variables", "good_code": "$username = $_POST['username'] ?? ''; $email = $_POST['email'] ?? '';", "quick_fix": "When a block of code has a comment explaining what it does, that comment should be the name of an extracted method — the method name makes the comment redundant", "severity": "low", "effort": "low", "created": "2026-03-15", "updated": "2026-04-04", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/extract_function", "html_url": "https://codeclaritylab.com/glossary/extract_function", "json_url": "https://codeclaritylab.com/glossary/extract_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[extract() — Dangerous Variable Injection](https://codeclaritylab.com/glossary/extract_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/extract_function" } } } }