[wp-trac] [WordPress Trac] #63273: Fatal due to superglobal $_POST modification with invalid int type
WordPress Trac
noreply at wordpress.org
Sun Apr 13 08:27:00 UTC 2025
#63273: Fatal due to superglobal $_POST modification with invalid int type
-------------------------------+-----------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version:
Severity: major | Keywords:
Focuses: |
-------------------------------+-----------------------------
By default PHP's $_POST and $_GET superglobals can only contain string and
array types.
Unfortunately, WordPress overwrites the superglobals though and thereby
sets keys with invalid int values. e.g. when updating a page/post /wp-
admin/post.php?post=123&action=edit it will set `user_ID`,
`post_author`,... see https://github.com/WordPress/wordpress-
develop/blame/trunk/src/wp-admin/includes/post.php#L63
When using `strict_types=1` in a file and processing the $_POST data with
a function that expects a string type, you'll get a fatal error.
If it's a non-WP form, which might use the same keys (e.g. ID or user_ID)
means that extra handling needs to be added to plugin/theme code to ensure
it works in both cases without fatal (and ignoring 1000s of errors from
static analysis, which tells me that $_POST values cannot be int)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63273>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list