Is using extract($_POST) insecure?

Question

Is using extract($_POST) insecure? If yes then what can I do about this?

Answer 1

Using extract($_POST) is insecure, as others have stated. You asked what you could do about making extract($_POST) secure, specifically to avoid constantly referencing the $_POST array.

The Literal Answer

You asked about using extract($_POST) securely. It is somewhat safe to use as the first line of your script, before any local variables have been defined, or with EXTR_PREFIX_ALL and a prefix. In both cases however, you are making a risky gamble, that you will never accidentally introduce a security hole via typo anywhere in that variable scope. Global scope is exceptionally difficult to verify. Because all programmers make typos and the inconvenience is minimal, most programmers strongly encourage never extract()ing untrusted content, regardless of limited scope, prefixes, etc.

The Correct Answer

$_POSTed data is untrusted and insecure. You never know what it might contain - or if it will even be set. It is useful to think of $_POST as "tainted" data which must be "cleaned" before assigning it to a local variable. As a result, you should be able to minimize your typing of "$_POST" by validating the input as you assign it to local variables. PHP 5.2 and up make this easier with the filter_input() and filter_var() functions with the validation filters.

As an aside, you should always validate your inputs and sanitize your outputs. If you instead sanitize your inputs you can run into problems displaying them in different contexts (ie, a non-HTML logger, printing to a terminal). If you don't sanitize your outputs, you run into XSS, SQL Injection, etc.

The rule of thumb encouraged by this mindset is to treat all data entering your system from another you don't control as "tainted", untrustworthy - you probably don't control the system running the web browser, unless developing for a LAN. Further, "defense in depth" encourages treating even trusted systems as compromisable (it happens), making this most generally best practices for programmers.