• Check current_user_can()
  • Nonces
  • Validating and Sanitizing Cookbook
  • $wpdb

Example Check current_user_can()

<?php
/*
Plugin Name: Simple Debug
Plugin URI: http://example.com/
Description: Append ?debug=1 to any URL to display debug information if you are an admin
*/
 
add_action( 'init', 'ssd_debug_check' );
 
function ssd_debug_check() {
    if( isset( $_GET['debug'] ) && current_user_can( 'manage_options' ) ) {
        if( !defined( 'SAVEQUERIES' ) )
            define( 'SAVEQUERIES', true );
        add_action( 'wp_footer', 'ssd_debug_output' );
    }
}
 
// Print debug information
function ssd_debug_output() {
    global $wpdb;
    echo "<pre>";
    print_r($wpdb->queries);
    echo "</pre>";
}

Nonces - Authority Versus Intention. Now imagine people maliciously crafting a link that would delete a post on your blog. They could not use it themselves, of course, because they have no admin account, But what if they trick you into clicking on this link? Because you are logged in, the action would occur, and the post would be deleted. You had authority but no intention. The malicious users just completed a Cross Site Request Forgery

In computer language, a nonce, or cryptographic nonce, is the abbreviation of “ number used once. ” In WordPress, it is a short and apparently random string such as a password, which is specifi c to the following: One WordPress user, One action (delete, update, save, and such), One object (a post, a link, a plugin setting, and such), One time frame of 24 hours. For example, http://example.com/wp - admin/post.php?post=43 & action=trash & wpnonce=83a08fcbc2

<?php
/*
Plugin Name: Unused Tags
Plugin URI: http://example.com/
Description: Find unused tags and rename or delete them
*/
 
// Add an entry for our option page to the Posts menu
add_action('admin_menu', 'ssd_utags_add_page');
function ssd_utags_add_page() {
    add_posts_page( 'Unused Tags', 'Unused Tags', 'manage_options',
        'ssd_utags', 'ssd_utags_option_page' );
}
 
// Catch any action parameter in query string
add_action( 'admin_init', 'ssd_utags_do_action' );
 
// Proceed to requested ssd_action if applicable
function ssd_utags_do_action() {
    if( !isset( $_REQUEST['ssd_action'] ) )
        return;
 
    if( !current_user_can( 'manage_options' ) )
        wp_die( 'Insufficient privileges!' );
 
    $id     = $_REQUEST['id'];
    $action = $_REQUEST['ssd_action'];
 
    if( $action == 'done' ) {
        add_action( 'admin_notices', 'ssd_utags_message' );
        return;
    }
 
    check_admin_referer( 'ssd_utags-'.$action.'_tag'.$id );
 
    switch( $action ) {
        case 'rename':
            $newtag = array( 'name' => $_POST['name'], 'slug' => $_POST['name'] );
            wp_update_term( $id, 'post_tag', $newtag );
            break;
        case 'delete':
            wp_delete_term( $id, 'post_tag' );
            break;
    }
 
    wp_redirect( add_query_arg( array( 'ssd_action' => 'done' ) ) );
 
}
 
// Admin notice
function ssd_utags_message() {
    echo "<div class='updated'><p>Action completed</p></div>";
}
 
// Draw the tag management page
function ssd_utags_option_page() {
    ?>
    <div class="wrap">
        <?php screen_icon(); ?>
        <h2>Unused Tags</h2>
 
        <?php
 
        if( $tags = ssd_utags_find_orphans() ):
 
        echo '<p>You currently have '.count( $tags ). ' unused tags:</p>';
        echo '<ol>';
 
        foreach( $tags as $tag ) {
            $id   = $tag->term_id;
            $name = esc_attr( $tag->name );
 
            $delete_url= add_query_arg( array('ssd_action'=>'delete','id'=>$id) );
            $nonced_url= wp_nonce_url( $delete_url, 'ssd_utags-delete_tag'.$id );
            ?>
            <li>
            <form action="" method="post">
            <?php wp_nonce_field( 'ssd_utags-rename_tag'.$id ); ?>
            <input type="hidden" name="ssd_action" value="rename" />
            <input type="hidden" name="id" value="<?php echo $id; ?>" />
            <input type="text" name="name" value="<?php echo $name; ?>" />
            <input type="submit" value="Rename" /> or
            <a href="<?php echo $nonced_url; ?>">delete</a> this tag
            </form>
            </li>
 
        <?php }
 
        else: ?>
        <p>You have no unused tags.</p>
 
        <?php endif; ?>
 
        </ol>
    </div>
    <?php
}
 
// Find unused tags, return them in an array
function ssd_utags_find_orphans() {
    global $wpdb;
 
    $sql = "SELECT terms.term_id, terms.name FROM {$wpdb->terms} terms
            INNER JOIN {$wpdb->term_taxonomy} taxo
            ON terms.term_id=taxo.term_id
            WHERE taxo.taxonomy = 'post_tag'
            AND taxo.count=0";
 
    return $wpdb->get_results( $sql );
}

Validating and Sanitizing Cookbook

  • Integers - intval($data) or is_int($data)
  • Strings - ctype_ family BOOL: ctype_alpha($num) - alphabetic, ctype_alnum($num) - alphanumeric, sanitize_text_field( “I am nice.\n Very < em > nice < /em > ! “ )
  • Internal Identifi er Strings validate date
function ssd_validate_date( $date ) {
    // first test: pattern matching
    if( !preg_match( '!\d{2}/\d{2}/\d{4}!', $date ) )
        return 'wrong pattern';
 
    // second test: is date valid?
    $timestamp = strtotime( $date );
    if( !$ t i m e s t a m p )
        return 'date invalid';
 
    // third test: is the date from the past?
    if( $timestamp <= time() )
        return 'past date';
 
    // So far, so good
    return true;
}
 
// Test it:
 
var_dump( ssd_validate_date( '12/12/99' ) );
// string(12) "wrong pattern"
 
var_dump( ssd_validate_date( '35/30/1980' ) );
// string(12) "date invalid"
 
var_dump( ssd_validate_date( '03/30/1980' ) );
// string(9) "past date"
 
var_dump( ssd_validate_date( '03/30/2020' ) );
// bool(true)

$wpdb

$values = array(some 43
);
$where = array(1
);
$formats_values = array( ‘%);
$formats_where = array( ‘%);
$wpdb- > update( $wpdb- > custom, $values, $where, $formats_values, $formats_where );
 
$values = array(new 44
);
$formats_values = array( ‘%);
$wpdb- > insert( $wpdb- > custom, $values, $formats_values );
 
$sql = “SELECT COUNT(ID) FROM {$wpdb- > posts}
WHERE post_status = ‘AND post_type = ‘$num_of_posts = $wpdb- > get_var( $sql );
 
$sql = “SELECT `user_email`, `user_url`
FROM $wpdb- > users
WHERE user_login = ‘$object = $wpdb- > get_row( $sql, OBJECT );
$array_a = $wpdb- > get_row( $sql, ARRAY_A );
 
$sql = “SELECT `user_email` FROM $wpdb- > users”;
$emails = $wpdb- > get_col( $sql );
 
$sql = “SELECT YEAR(post_date) AS `year`, count(ID) as posts
FROM $wpdb- > posts
WHERE post_type = ‘AND post_status = ‘GROUP BY YEAR(post_date)
ORDER BY post_date DESC”;
$results = $wpdb- > get_results( $sql, ARRAY_A );
 
$sql = “SELECT YEAR(post_date) AS `year`, count(ID) as posts
FROM $wpdb- > posts
WHERE post_type = ‘AND post_status = ‘GROUP BY YEAR(post_date)
ORDER BY post_date DESC”;
$results = $wpdb- > get_results( $sql, ARRAY_A );
foreach( $results as $sum ) {
$year = $sum[];
$count = $sum[];
echo “ < p > Posts published in $year: $count < /p > ”;
}
 
$sql = “DELETE from wp_comments
WHERE comment_author_url
LIKE ‘%evil.example.com%’”;
$deleted = $wpdb- > query( $sql );
 
$sql = “UPDATE $wpdb- > posts
SET comment_status = ‘WHERE post_date < DATE_SUB( NOW(), INTERVAL 90 DAY )
AND post_status = ‘$wpdb- > query( $sql );

Leave a Comment

Fields with * are required.

Please enter the letters as they are shown in the image above.
Letters are not case-sensitive.