CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

extract() Security Risk

security PHP 4.0+ Intermediate

TL;DR

extract() creates variables from an array in the current scope — using it on user input ($_POST, $_GET) allows attackers to overwrite any local variable.

Explanation

extract(array $array) creates one variable per key in the current scope. extract($_POST) is as dangerous as register_globals — attackers can set any variable: ?role=admin overwrites $role. Even with EXTR_PREFIX_ALL, if the prefix is known it can be targeted. Extract should only be used with trusted, bounded arrays (configuration, template variables) and never with user input. PHP_CodeSniffer and PHPStan flag extract() usage. Rector can suggest replacements. Use explicit variable assignment or list()/array destructuring instead.

Common Misconception

extract() with EXTR_PREFIX_SAME is safe for user input — attackers can still target the prefixed variable names if the prefix is predictable.

Why It Matters

extract() on user input recreates the register_globals vulnerability manually — authentication bypasses, privilege escalation, and arbitrary variable injection are all possible.

Common Mistakes

  • Calling extract($_POST) or extract($_GET) for convenience.
  • Using extract() in template files where variables could be overwritten.
  • Not knowing extract() overwrites existing variables by default (EXTR_OVERWRITE).

Code Examples

✗ Vulnerable 
// extract() on user input — catastrophic
extract($_POST); // ?role=admin&authenticated=1
if ($authenticated && $role === 'admin') {
    // Attacker gains admin access
}
✓ Fixed 
// Explicit extraction — only what you need:
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$email    = filter_input(INPUT_POST, 'email',    FILTER_VALIDATE_EMAIL);

// If you must use extract, use trusted bounded data:
$templateVars = ['title' => 'Home', 'year' => date('Y')];
extract($templateVars, EXTR_SKIP); // Never user input
Added 22 Mar 2026
Views 21

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Unknown AI 3 Google 3 Perplexity 3 ChatGPT 1 Ahrefs 1
Also referenced
Input Validation vs Output Encoding 32 Broken Access Control 28 register_globals Risk & Legacy Code 19 Superglobals ($_GET, $_POST, $_SERVER…) 16
How they use it
crawler 15 pre-tracking 2
Related categories
php 6.3k security 4k general 1.4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Never call extract() on user input. Replace with explicit variable assignment or filter_input(). Add phpcs rule to flag any extract() call for review.
📦 Applies To
PHP 4.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
extract\(\$_
Auto-detectable: ✓ Yes phpcs semgrep phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-473 CWE-20 CWE-284
✓ schema.org compliant