CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Variable Variables ($$var) Risks

security PHP 3.0+ Advanced

TL;DR

$$var creates a variable whose name is the value of $var — using it with user input allows arbitrary variable access/creation and is effectively a backdoor.

Explanation

$$var is PHP's variable variable syntax: $varName = 'username'; $$varName = 'admin' creates $username = 'admin'. This is almost always a design smell and a security risk when $varName comes from user input. Attackers can read or overwrite any variable in scope. Extract() internally uses the same mechanism. Variable variables are occasionally legitimate (template engines, serialisation) but require a strict whitelist. PHPStan flags them as suspicious. In PHP 7, $$var['key'] was disambiguated: ${$var['key']} vs ${$var}['key'].

Common Misconception

Variable variables are only a risk if used directly with $_GET — any path where user data influences the variable name (even indirectly) is exploitable.

Why It Matters

Variable variables give user input control over which program variables are read or written — a path to arbitrary code execution or authentication bypass.

Common Mistakes

  • Using $$key from a loop over user-supplied array keys.
  • Not whitelisting allowed variable names before using $$var.
  • Using variable variables in template code that processes user content.

Code Examples

✗ Vulnerable 
// User sends: field=password&value=attackerPassword
$field = $_GET['field'];
$$field = $_GET['value']; // Sets $password = 'attackerPassword'
✓ Fixed 
// Whitelist approach:
$allowed = ['title', 'body', 'author'];
$field = $_GET['field'] ?? '';
if (in_array($field, $allowed, true)) {
    $$field = sanitize($_GET['value'] ?? '');
}

// Better: explicit mapping
$data = [
    'title'  => sanitize($_GET['title'] ?? ''),
    'body'   => sanitize($_GET['body'] ?? ''),
];
Added 22 Mar 2026
Views 23

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 2 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Unknown AI 4 Google 4 Perplexity 3 ChatGPT 1 Meta AI 1 Ahrefs 1
Also referenced
Input Validation vs Output Encoding 31 register_globals Risk & Legacy Code 19 extract() Security Risk 17
How they use it
crawler 18 crawler_json 2 pre-tracking 2
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Whitelist all variable names before using $$var. Better: replace variable variables with explicit associative arrays. Add phpcs/phpstan rules to flag $$var usage.
📦 Applies To
PHP 3.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
\$\$[a-zA-Z_]
Auto-detectable: ✓ Yes phpstan semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-73 CWE-471 CWE-20
✓ schema.org compliant