- Check current_user_can()
- Nonces
- Validating and Sanitizing Cookbook
- $wpdb
Example Check current_user_can()
/* Plugin Name: Simple Debug Plugin URI: http://example.com/ Description: Append ?debug=1 to any URL to display debug information if you are an admin */ add_action( 'init', 'ssd_debug_check' ); function ssd_debug_check() { if( isset( $_GET['debug'] ) && current_user_can( 'manage_options' ) ) { if( !defined( 'SAVEQUERIES' ) ) define( 'SAVEQUERIES', true ); add_action( 'wp_footer', 'ssd_debug_output' ); } } // Print debug information function ssd_debug_output() { global $wpdb; echo "<pre>"; print_r($wpdb->queries); echo "</pre>"; }
Nonces - Authority Versus Intention. Now imagine people maliciously crafting a link that would delete a post on your blog. They could not use it themselves, of course, because they have no admin account, But what if they trick you into clicking on this link? Because you are logged in, the action would occur, and the post would be deleted. You had authority but no intention. The malicious users just completed a Cross Site Request Forgery
In computer language, a nonce, or cryptographic nonce, is the abbreviation of “ number used once. ” In WordPress, it is a short and apparently random string such as a password, which is specifi c to the following: One WordPress user, One action (delete, update, save, and such), One object (a post, a link, a plugin setting, and such), One time frame of 24 hours. For example, http://example.com/wp - admin/post.php?post=43 & action=trash & wpnonce=83a08fcbc2
/* Plugin Name: Unused Tags Plugin URI: http://example.com/ Description: Find unused tags and rename or delete them */ // Add an entry for our option page to the Posts menu add_action('admin_menu', 'ssd_utags_add_page'); function ssd_utags_add_page() { add_posts_page( 'Unused Tags', 'Unused Tags', 'manage_options', 'ssd_utags', 'ssd_utags_option_page' ); } // Catch any action parameter in query string add_action( 'admin_init', 'ssd_utags_do_action' ); // Proceed to requested ssd_action if applicable function ssd_utags_do_action() { if( !isset( $_REQUEST['ssd_action'] ) ) return; if( !current_user_can( 'manage_options' ) ) wp_die( 'Insufficient privileges!' ); $id = $_REQUEST['id']; $action = $_REQUEST['ssd_action']; if( $action == 'done' ) { add_action( 'admin_notices', 'ssd_utags_message' ); return; } check_admin_referer( 'ssd_utags-'.$action.'_tag'.$id ); switch( $action ) { case 'rename': $newtag = array( 'name' => $_POST['name'], 'slug' => $_POST['name'] ); wp_update_term( $id, 'post_tag', $newtag ); break; case 'delete': wp_delete_term( $id, 'post_tag' ); break; } wp_redirect( add_query_arg( array( 'ssd_action' => 'done' ) ) ); } // Admin notice function ssd_utags_message() { echo "<div class='updated'><p>Action completed</p></div>"; } // Draw the tag management page function ssd_utags_option_page() { <div class="wrap"> screen_icon(); <h2>Unused Tags</h2> if( $tags = ssd_utags_find_orphans() ): echo '<p>You currently have '.count( $tags ). ' unused tags:</p>'; echo '<ol>'; foreach( $tags as $tag ) { $id = $tag->term_id; $name = esc_attr( $tag->name ); $delete_url= add_query_arg( array('ssd_action'=>'delete','id'=>$id) ); $nonced_url= wp_nonce_url( $delete_url, 'ssd_utags-delete_tag'.$id ); <li> <form action="" method="post"> wp_nonce_field( 'ssd_utags-rename_tag'.$id ); <input type="hidden" name="ssd_action" value="rename" /> <input type="hidden" name="id" value=" echo $id; " /> <input type="text" name="name" value=" echo $name; " /> <input type="submit" value="Rename" /> or <a href=" echo $nonced_url; ">delete</a> this tag </form> </li> } else: <p>You have no unused tags.</p> endif; </ol> </div> } // Find unused tags, return them in an array function ssd_utags_find_orphans() { global $wpdb; $sql = "SELECT terms.term_id, terms.name FROM {$wpdb->terms} terms INNER JOIN {$wpdb->term_taxonomy} taxo ON terms.term_id=taxo.term_id WHERE taxo.taxonomy = 'post_tag' AND taxo.count=0"; return $wpdb->get_results( $sql ); }
Validating and Sanitizing Cookbook
- Integers - intval($data) or is_int($data)
- Strings - ctype_ family BOOL: ctype_alpha($num) - alphabetic, ctype_alnum($num) - alphanumeric, sanitize_text_field( “I am nice.\n Very < em > nice < /em > ! “ )
- Internal Identifi er Strings validate date
function ssd_validate_date( $date ) { // first test: pattern matching if( !preg_match( '!\d{2}/\d{2}/\d{4}!', $date ) ) return 'wrong pattern'; // second test: is date valid? $timestamp = strtotime( $date ); if( !$ t i m e s t a m p ) return 'date invalid'; // third test: is the date from the past? if( $timestamp <= time() ) return 'past date'; // So far, so good return true; } // Test it: var_dump( ssd_validate_date( '12/12/99' ) ); // string(12) "wrong pattern" var_dump( ssd_validate_date( '35/30/1980' ) ); // string(12) "date invalid" var_dump( ssd_validate_date( '03/30/1980' ) ); // string(9) "past date" var_dump( ssd_validate_date( '03/30/2020' ) ); // bool(true)
$wpdb
$values = array( ‘column1’ = > ‘some string’, ‘column2’ = > 43 ); $where = array( ‘ID’ = > 1 ); $formats_values = array( ‘%s’, ‘%d’ ); $formats_where = array( ‘%d’ ); $wpdb- > update( $wpdb- > custom, $values, $where, $formats_values, $formats_where ); $values = array( ‘column1’ = > ‘new string’, ‘column2’ = > 44 ); $formats_values = array( ‘%s’, ‘%d’ ); $wpdb- > insert( $wpdb- > custom, $values, $formats_values ); $sql = “SELECT COUNT(ID) FROM {$wpdb- > posts} WHERE post_status = ‘publish’ AND post_type = ‘post’”; $num_of_posts = $wpdb- > get_var( $sql ); $sql = “SELECT `user_email`, `user_url` FROM $wpdb- > users WHERE user_login = ‘admin’”; $object = $wpdb- > get_row( $sql, OBJECT ); $array_a = $wpdb- > get_row( $sql, ARRAY_A ); $sql = “SELECT `user_email` FROM $wpdb- > users”; $emails = $wpdb- > get_col( $sql ); $sql = “SELECT YEAR(post_date) AS `year`, count(ID) as posts FROM $wpdb- > posts WHERE post_type = ‘post’ AND post_status = ‘publish’ GROUP BY YEAR(post_date) ORDER BY post_date DESC”; $results = $wpdb- > get_results( $sql, ARRAY_A ); $sql = “SELECT YEAR(post_date) AS `year`, count(ID) as posts FROM $wpdb- > posts WHERE post_type = ‘post’ AND post_status = ‘publish’ GROUP BY YEAR(post_date) ORDER BY post_date DESC”; $results = $wpdb- > get_results( $sql, ARRAY_A ); foreach( $results as $sum ) { $year = $sum[‘year’]; $count = $sum[‘posts’]; echo “ < p > Posts published in $year: $count < /p > ”; } $sql = “DELETE from wp_comments WHERE comment_author_url LIKE ‘%evil.example.com%’”; $deleted = $wpdb- > query( $sql ); $sql = “UPDATE $wpdb- > posts SET comment_status = ‘closed’ WHERE post_date < DATE_SUB( NOW(), INTERVAL 90 DAY ) AND post_status = ‘publish’”; $wpdb- > query( $sql );

Leave a Comment