Contact form sender isn't safe.

[brunoziie]

Isn't safe use php extract function on data sent by user.

[thulioph]

Oh, seriously? what problem with this? Do you have other suggestion without use of frameworks @brunoziie?

[brunoziie]

When you use extract(), you allow the user inject values to variables in your code. For example, you have a variable $foo in your code with a certain value, then the user sends a POST request with a field with same name. Using extract($_POST), the value of $foo will be replaced by $POST['foo'] value.

// Before extract()
$foo = 'John';

// After extract()
// $_POST => array('foo', 'Jane');
extract($_POST);

echo $foo; // outputs: Jane

You must to validate the all data sent by user and manually assign values to variable

[thulioph]

Thanks for tip @brunoziie, new ideas are welcome.