—

Why it Matters

PHP superglobals like $_GET, $_POST, and $_REQUEST give direct access to raw user input. If developers read these values directly, they skip Magento’s built-in filtering and validation. Attackers can send crafted requests that inject malicious input into the application.

Using Magento’s request API ensures that inputs are normalized and safer to use. It also makes the code more consistent and testable. Avoiding superglobals lowers the risk of injection bugs, XSS, and other input-handling issues.

Verification Steps

# Search custom modules for use of PHP superglobals
grep -R "\$_GET" app/code
grep -R "\$_POST" app/code
grep -R "\$_REQUEST" app/code

Remediation / Fix Guidance

1. Replace direct calls to $_GET, $_POST, or $_REQUEST with Magento’s request object:
2. Use $this->getRequest()->getParam('param') or getPostValue() for safe access.
3. Apply Magento’s validators and filters to ensure data is in the expected format.
4. Review all custom code for hidden use of superglobals and refactor them.

Examples

// Direct use of superglobals
$id = $_GET['id'];

// Safe use with Magento request API
$id = (int) $this->getRequest()->getParam('id');

References

• OWASP Top 10 — A05: Security Misconfiguration
• OWASP — Input Handling and Injection