Deprecate use of $_GET/$_POST so query parameters are not in an inconsistent state #12620
Labels
c: Platform
For Matomo platform changes that aren't impacting any of our APIs but improve the core itself.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Currently, any part of Matomo (including core, core plugins, 3rd party plugins) can and do use the
$_GET/$_POST
variables directly, to either change the context in which other code runs (like changing the site/date), or to read query params directly.This is not desirable, since it can lead to instances where
$_GET
has one value and$_POST
has another. Or instances where reading it directly can bypass sanitization. Which can create odd, hard to diagnose bugs, or even potential security vulnerabilities.To fix this, we should:
Common::getRequestVar
instead of using the superglobals)Would have to be done for matomo 4.
The text was updated successfully, but these errors were encountered: