Using extract is almost as dangerous as enabling register_globals. It will pollute your namespace and can trample on existing configuration variables etc. I'd advise that you do something more constrained so there's less chance of introducing exploits into your code. Try this:
Just a small correction; with EXTR_SKIP, extract() causes less problems than it initially appears to. However, because most people are sloppy and don't initialize their variables, I'd advise using a more specific approach.
This is kinda related. If you dont know what the variable names are (for example from a script that you cannot find the name of the variable being posted, is there a way you can be shown what variables are being posted?