Home/ Questions/Q 4621670
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T02:44:04+00:00

In my previous post i ask how to create variables from an array (

  • 0

In my previous post i ask how to create variables from an array ( PHP Variables made with foreach ) i got several answers and i was testing extract() but i have seen several against it for security reasons.

Now my question here is how can i use extract in a secure way from a $_POST that has an array that was made using jquery serialized.

With secure i mean that if a user inputs the wrong data, the secure way can take care of that with no problems.

THe PHP Site has a small warning in the extract command the says the following:

Do not use extract() on untrusted
data, like user input (i.e. $_GET,
$_FILES, etc.). If you do, for example
if you want to run old code that
relies on register_globals
temporarily, make sure you use one of
the non-overwriting extract_type
values such as EXTR_SKIP and be aware
that you should extract in the same
order that’s defined in
variables_order within the php.ini.

It warns about the use but does not provide an example at least of how to solve the user of extract in a secure way.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The best option is to not use extract() at all. It’s a bad design decision from the days when PHP was the equivalent of wet toilet paper for writing secure code.

    It may be painful, but it is far better to write out a long sequence of:

    $var1 = $_POST['var1'];
$var2 = $_POST['var2'];
etc...

    or simply use $_POST['var1'] and company everywhere in your code.

    As soon as you start using extract, you’re giving malicious users a potential way into your code, no matter how much time/effort you put into it. You don’t drill a hole through a bank vault door because it’s too annoying to have to open the door each time to let some money out. Once there’s a hole, it will be exploited.

    • 0