CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Variable Variables ($$var) Risks

Security PHP 3.0+ Advanced
debt(d5/e5/b4/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5), since detection_hints lists phpstan and semgrep with a clear regex pattern \$\$[a-zA-Z_] that flags usage, but it's not a default linter rule and won't always trace indirect taint.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor' (e5), since quick_fix recommends replacing variable variables with explicit associative arrays — a refactor across each usage site, not a single-line swap, especially when loops and templates are involved.

b4 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3) leaning toward persistent (b4), because while $$var usage is typically scattered in specific components (templates, dynamic dispatch), it creates an ongoing review/audit burden wherever it appears across web and cli contexts.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), because the misconception explicitly states developers think it's only risky with direct $_GET use, but any indirect user-influenced path is exploitable — contradicting the intuition that sanitization elsewhere protects you.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

TL;DR

$$var creates a variable whose name is the value of $var — using it with user input allows arbitrary variable access/creation and is effectively a backdoor.

Explanation

$$var is PHP's variable variable syntax: $varName = 'username'; $$varName = 'admin' creates $username = 'admin'. This is almost always a design smell and a security risk when $varName comes from user input. Attackers can read or overwrite any variable in scope. Extract() internally uses the same mechanism. Variable variables are occasionally legitimate (template engines, serialisation) but require a strict whitelist. PHPStan flags them as suspicious. In PHP 7, $$var['key'] was disambiguated: ${$var['key']} vs ${$var}['key'].

Common Misconception

Variable variables are only a risk if used directly with $_GET — any path where user data influences the variable name (even indirectly) is exploitable.

Why It Matters

Variable variables give user input control over which program variables are read or written — a path to arbitrary code execution or authentication bypass.

Common Mistakes

  • Using $$key from a loop over user-supplied array keys.
  • Not whitelisting allowed variable names before using $$var.
  • Using variable variables in template code that processes user content.

Code Examples

✗ Vulnerable 
// User sends: field=password&value=attackerPassword
$field = $_GET['field'];
$$field = $_GET['value']; // Sets $password = 'attackerPassword'
✓ Fixed 
// Whitelist approach:
$allowed = ['title', 'body', 'author'];
$field = $_GET['field'] ?? '';
if (in_array($field, $allowed, true)) {
    $$field = sanitize($_GET['value'] ?? '');
}

// Better: explicit mapping
$data = [
    'title'  => sanitize($_GET['title'] ?? ''),
    'body'   => sanitize($_GET['body'] ?? ''),
];
Added 22 Mar 2026
Views 47

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Google 5 Unknown AI 4 ChatGPT 3 Perplexity 3 Ahrefs 3 SEMrush 3 Scrapy 3 Meta AI 2 Claude 2
Also referenced
Input Validation vs Output Encoding 118 register_globals Risk & Legacy Code 32 extract() Security Risk 30
How they use it
crawler 31 crawler_json 5 pre-tracking 2
Related categories
security 7.9k general 3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: High
⚡ Quick Fix
Whitelist all variable names before using $$var. Better: replace variable variables with explicit associative arrays. Add phpcs/phpstan rules to flag $$var usage.
📦 Applies To
PHP 3.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
\$\$[a-zA-Z_]
Auto-detectable: ✓ Yes phpstan semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-73 CWE-471 CWE-20
✓ schema.org compliant