Edit to further clarify:
No, this does not mean that modules can access all of that information.
These properties are protected / private and the only reason they are seen is because
print_r and related PHP functions are primarily intended for debugging and specifically are programmed to include everything.
They could technically capture the output, parse it, and then use it, but there's already simpler methods that we simply cannot prevent if there's malicious code being executed on the server.
Here's my original response:
Huh, that's certainly interesting.
From what I can tell, this is happening because of a combination of us using Pimple for dependency injection + how
From the PHP docs:
print_r(), var_dump() and var_export() will also show protected and private properties of objects. Static class members will not be shown.
In this case, though, the
$order variable will match the associated order inside of the
client_order DB table.
$model variable will be the order as the module sees it, in the
If you still want to
print_r the models, this Stackoverflow post covers a few different options to only get the public properties.