CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

extract() Security Risk

Security PHP 4.0+ Intermediate
debt(d3/e3/b3/t5)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3). The term's detection_hints list phpcs, semgrep, and phpstan as tools that can flag extract($_POST/GET) patterns. These are standard PHP static analysis tools that catch the common dangerous usage with automated detection marked as 'yes'. Not d1 because PHP itself doesn't prevent extract() at compile time.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix states to replace extract() with explicit variable assignment or filter_input() — this is a straightforward pattern replacement within the affected file(s). Not e1 because you need to identify which variables were being extracted and assign them explicitly, which takes more than a single-line change but remains localized.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). extract() usage is typically confined to specific files (form handlers, template files). The applies_to shows it affects web/cli contexts, but the actual burden is limited to wherever extract() was called. It doesn't create system-wide dependencies or architectural constraints — just localized technical debt that can be fixed file by file.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception explicitly states that developers believe EXTR_PREFIX_SAME is safe for user input, when attackers can still target predictable prefixed names. The common_mistakes show developers don't realize extract() overwrites existing variables by default (EXTR_OVERWRITE). This is a documented gotcha that experienced PHP devs learn, but it contradicts the convenient appearance of the function.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-11 · reviewed by human

TL;DR

extract() creates variables from an array in the current scope — using it on user input ($_POST, $_GET) allows attackers to overwrite any local variable.

Explanation

extract(array $array) creates one variable per key in the current scope. extract($_POST) is as dangerous as register_globals — attackers can set any variable: ?role=admin overwrites $role. Even with EXTR_PREFIX_ALL, if the prefix is known it can be targeted. Extract should only be used with trusted, bounded arrays (configuration, template variables) and never with user input. PHP_CodeSniffer and PHPStan flag extract() usage. Rector can suggest replacements. Use explicit variable assignment or list()/array destructuring instead.

Common Misconception

extract() with EXTR_PREFIX_SAME is safe for user input — attackers can still target the prefixed variable names if the prefix is predictable.

Why It Matters

extract() on user input recreates the register_globals vulnerability manually — authentication bypasses, privilege escalation, and arbitrary variable injection are all possible.

Common Mistakes

  • Calling extract($_POST) or extract($_GET) for convenience.
  • Using extract() in template files where variables could be overwritten.
  • Not knowing extract() overwrites existing variables by default (EXTR_OVERWRITE).

Code Examples

✗ Vulnerable 
// extract() on user input — catastrophic
extract($_POST); // ?role=admin&authenticated=1
if ($authenticated && $role === 'admin') {
    // Attacker gains admin access
}
✓ Fixed 
// Explicit extraction — only what you need:
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$email    = filter_input(INPUT_POST, 'email',    FILTER_VALIDATE_EMAIL);

// If you must use extract, use trusted bounded data:
$templateVars = ['title' => 'Home', 'year' => date('Y')];
extract($templateVars, EXTR_SKIP); // Never user input
Added 22 Mar 2026
Views 36

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 ChatGPT 3 Unknown AI 3 Google 3 Perplexity 3 Ahrefs 3 Scrapy 3 Claude 2 SEMrush 1 Meta AI 1
Also referenced
Input Validation vs Output Encoding 118 Broken Access Control 63 Superglobals ($_GET, $_POST, $_SERVER…) 37 register_globals Risk & Legacy Code 32
How they use it
crawler 24 crawler_json 3 pre-tracking 2
Related categories
php 13.2k security 7.9k general 3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Never call extract() on user input. Replace with explicit variable assignment or filter_input(). Add phpcs rule to flag any extract() call for review.
📦 Applies To
PHP 4.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
extract\(\$_
Auto-detectable: ✓ Yes phpcs semgrep phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-473 CWE-20 CWE-284
✓ schema.org compliant