{ "slug": "php_extract_security", "term": "extract() Security Risk", "category": "security", "difficulty": "intermediate", "short": "extract() creates variables from an array in the current scope — using it on user input ($_POST, $_GET) allows attackers to overwrite any local variable.", "long": "extract(array $array) creates one variable per key in the current scope. extract($_POST) is as dangerous as register_globals — attackers can set any variable: ?role=admin overwrites $role. Even with EXTR_PREFIX_ALL, if the prefix is known it can be targeted. Extract should only be used with trusted, bounded arrays (configuration, template variables) and never with user input. PHP_CodeSniffer and PHPStan flag extract() usage. Rector can suggest replacements. Use explicit variable assignment or list()/array destructuring instead.", "aliases": [], "tags": [ "php", "security", "extract", "injection" ], "misconception": "extract() with EXTR_PREFIX_SAME is safe for user input — attackers can still target the prefixed variable names if the prefix is predictable.", "why_it_matters": "extract() on user input recreates the register_globals vulnerability manually — authentication bypasses, privilege escalation, and arbitrary variable injection are all possible.", "common_mistakes": [ "Calling extract($_POST) or extract($_GET) for convenience.", "Using extract() in template files where variables could be overwritten.", "Not knowing extract() overwrites existing variables by default (EXTR_OVERWRITE)." ], "when_to_use": [], "avoid_when": [], "related": [ "php_register_globals_risk", "input_validation", "broken_access_control", "superglobals" ], "prerequisites": [ "input_validation", "superglobals" ], "refs": [ "https://www.php.net/manual/en/function.extract.php" ], "bad_code": "// extract() on user input — catastrophic\nextract($_POST); // ?role=admin&authenticated=1\nif ($authenticated && $role === 'admin') {\n // Attacker gains admin access\n}", "good_code": "// Explicit extraction — only what you need:\n$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);\n$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);\n\n// If you must use extract, use trusted bounded data:\n$templateVars = ['title' => 'Home', 'year' => date('Y')];\nextract($templateVars, EXTR_SKIP); // Never user input", "quick_fix": "Never call extract() on user input. Replace with explicit variable assignment or filter_input(). Add phpcs rule to flag any extract() call for review.", "severity": "critical", "effort": "medium", "created": "2026-03-22", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/php_extract_security", "html_url": "https://codeclaritylab.com/glossary/php_extract_security", "json_url": "https://codeclaritylab.com/glossary/php_extract_security.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[extract() Security Risk](https://codeclaritylab.com/glossary/php_extract_security) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php_extract_security" } } } }