Fatal due to superglobal $_POST modification with invalid int type

[kkmuffme]

By default PHP's $_POST and $_GET superglobals can only contain string and array types.

Unfortunately, WordPress overwrites the superglobals though and thereby sets keys with invalid int values. e.g. when updating a page/post /wp-admin/post.php?post=123&action=edit it will set user_ID, post_author,... see ​https://github.com/WordPress/wordpress-develop/blame/trunk/src/wp-admin/includes/post.php#L63

When using strict_types=1 in a file and processing the $_POST data with a function that expects a string type, you'll get a fatal error.

If it's a non-WP form, which might use the same keys (e.g. ID or user_ID) means that extra handling needs to be added to plugin/theme code to ensure it works in both cases without fatal (and ignoring 1000s of errors from static analysis, which tells me that $_POST values cannot be int)

[joemcgill]

Thanks for the report, @kkmuffme. I'm moving this to the 6.9 milestone for consideration since this is an existing issue and not something that is the result of a change during 6.8.

If anyone wants to do some investigation to see if there are other places where WP is overwriting globals in this way which need to be fixed at the same time, that would be super helpful.

Trac ticket: https://core.trac.wordpress.org/ticket/63273

[welcher]

This was reviewed in the 6.9 Bug Scrub today. @joemcgill there is an associated PR, would you be able to review it?

[joemcgill]

Thanks for the ping, @welcher! Unfortunately, I won't have availability to help with this during this cycle. Unassigning myself so someone else can review.

[welcher]

Thanks @joemcgill, given that I will punt this to Future Release.