Create Variables by FromSubmit (PHP)

Im newbie, so I do not know the technical terms :(

So, Process of my Code:

Read out FormValues, received as a String
Genereate "Variables" from received String (HTML Form (id) with corresponding Values (Form input))
```
  $variableX1 = "Value1";
  $variableX2 = "Value2";
  ...
```

Purpose of my Code: no more need to write POST variables manually to process those Forms

     generate variables & values:     $loginmail = "[email protected]";
     instead of write:                $loginmail = $_POST['email']

My Code Example:

class formHandler {  

    //Get FormInput, Read out Properties---------------------------------------------------------------------
    function getVariables(){ 
        
        $formString = $formArray = $value = $formInput = $variable = "";

        $formString = $_POST['formInit'];                           //Get String from serverRequest.js
        
        $formArray = explode('&', $formString);                     //Create Array from String > separate FormInput

        foreach($formArray as $value) {
            
            $formInput = explode('=', $value);                      //Create Array from every From Input

            ${$formInput[0]} = urldecode($formInput[1]);            //Creates Variables & URLdecoded Values
            
        }
        
        include_once 'fileHandler.php';
    }
}

Problem / Question: This code is working soso

Genereal: Isit a safe & smart way to proceed Forms like this?
As I receive all Data as String, does it have a influence on Security or Processes? eg. Registration, insert Password, or Age (as integer)

3.Furthermore, there still needs to be Prepared Statements to insert data into DB?

May someone could tell me a solution, or where to pay attention :) Thank you very much.

Solution

To answer your 1st question: If it's safe, depends on what you intend to do with it, but since you want to save this into the database, at the moment, it's not safe. You answered your question yourself with the 3rd question. Always use prepared statements.

I'd also say it's not that smart. Sure, it's smart in a way, that you don't need to care about any new variables etc. but what happens if

You are re-designing your database? Then, you don't know where some fields are used
A user simply adds more fields (or removes fields) from the POST request (by changing the form or manually sending the request?) Then everything will fail, because you will be trying to insert unknown fields into the database
When refactoring, you can't search for usages in your IDE of automaticaly generated variables. (That's also why I'm no fan of calling methods by string concateation or similar)

Simply said: I'd avoid "magic" for creating variables, methods or anything else. Don't think about what's easy to program. Think about what's easy to maintain and easy to read later! No one will know what happens in this code just by reading it, and that should always be #1 priority

To answer your 2nd question: String is not more or less insecure than any other data type. Passwords should always be encrypted (I'm not actively developing PHP anymore, so don't know if this is the current standard but take a look at: https://www.php.net/manual/de/function.password-hash.php)

What I like to do for what you're trying to achieve is serialization/deserialization

The symfony framework has a nice graphic for this

Source: https://symfony.com/doc/current/components/serializer.html

So, since you already have an array, for you it would be denomrlization. You could write a denormlalizer which does nothing else than to convert the array to the model.

I don't know if this is already too advanced but you could take a look at

https://github.com/symfony/serializer
https://github.com/schmittjoh/serializer (although i'm not the biggest fan of jms)