Very _very_ talkative print statement...

Anuril

While debugging the Proxmox Module I've used the old console.log to get more information about the objects I'm working with. (Not very well versed in PHP anymore, so please bear with me…)

I put this line in where I knew it would run:

Now when I checked in the console, I've noticed that it looks like everything is dumped.

Including MySQL databse, Username & Password.

Is this expected behaviour, or would that need to be adressed?

BelleNottelling

Edit to further clarify:
No, this does not mean that modules can access all of that information.
These properties are protected / private and the only reason they are seen is because print_r and related PHP functions are primarily intended for debugging and specifically are programmed to include everything.
They could technically capture the output, parse it, and then use it, but there's already simpler methods that we simply cannot prevent if there's malicious code being executed on the server.

Here's my original response:
Huh, that's certainly interesting.
From what I can tell, this is happening because of a combination of us using Pimple for dependency injection + how print_r works.

From the PHP docs:

print_r(), var_dump() and var_export() will also show protected and private properties of objects. Static class members will not be shown.

In this case, though, the $order variable will match the associated order inside of the client_order DB table.
The $model variable will be the order as the module sees it, in the service_license.

If you still want to print_r the models, this Stackoverflow post covers a few different options to only get the public properties.