Forums

WordPress › Support » Plugins and Hacks

Plugin security - how to filter form content for database? (2 posts)

  1. ninjaboy
    Member
    Posted 2 years ago #

    I have followed this great tutorial on how to create a plugin with an options page. It has taught me a-lot of new things!

    However, it states that you should put "some input validation" on the form fields in the administration page. The form fields allow the user to change 2 options values held in the database.

    The code I have build (slightly modified from the example is shown below:

    <?php
/*
Plugin Name: Hello World Test
Plugin URI: http://www.wordpress.org
Version: 0.1
License: GPL
Description: A simple plugin build test with admin page
Author: WordPress
Author URI: http://www.wordpress.org
*/

/*
=== RELEASE NOTES ===
10.11.2007 - v0.1 - first version released
*/

// FUNCTIONS

function say_hello() {
	$greeting = get_option('hello_greeting');
	$target = get_option('hello_target');
	print "$greeting $target";
}

function set_hello_options() {
	add_option('hello_greeting','hello','What to say');
	add_option('hello_target','world','To whom to say');
}

function unset_hello_options() {
	delete_option('hello_greeting');
	delete_option('hello_target');
}

function update_hello_options() {
	$ok = false;

	//INPUT VALIDATION REQUIRED
	if ($_REQUEST['hello_greeting']) {
		update_option('hello_greeting',$_REQUEST['hello_greeting']);
		$ok = true;
	}

	if ($_REQUEST['hello_target']) {
		update_option('hello_target',$_REQUEST['hello_target']);
		$ok = true;
	}

	if ($ok) {
	?>
	<div id="message" class="update fade"><b>Options saved.</b>
</div>
	<?php
	}
	else {
	?><div id="message" class="error fade">
	Failed to save options - ensure you have something filled into each field please!

	</div><?php
	}
}

// INSTALL OR CLEANUP

register_activation_hook(__FILE__,'set_hello_options');
register_deactivation_hook(__FILE__,'unset_hello_options');

// ADMIN MENU FORM

function print_hello_form() {
	$default_greeting = get_option('hello_greeting');
	$default_target = get_option('hello_target');
	?>

	<form method="post">
	<fieldset><legend>Greeting</legend>
		<input type="text" name="hello_greeting" value="<?=$default_greeting?>">
	</fieldset>
	<fieldset><legend>Target</legend>
		<input type="text" name="hello_target" value="<?=$default_target?>">
	</fieldset>

	<input type="submit" name="submit" value="Submit Changes" class="button"/>
	</form>
	<?php
}

// ADMIN MENU CONFIGURATION

add_action('admin_menu','modify_menu');

function modify_menu() {
	add_options_page(
						'Hello World Options',	//page title
						'Hello World',			//sub-menu title
						'manage_options',		//access/capability
						__FILE__,				//file
						'admin_hello_options'	//function
					);
}

function admin_hello_options() {

if ( !current_user_can('manage_options') )
wp_die(__('You do no have permission to access this page.'));

?>
<div class="wrap"><h2>Hello World Options</h2>

<?php

if ($_REQUEST['submit']) {
	update_hello_options();
}

print_hello_form();
?>

<h2>Output Preview</h2>

	<b>Your site will display the following:</b>

	<?PHP
	$greeting = get_option('hello_greeting');
	$target = get_option('hello_target');
	print "$greeting $target";
	?>

</div>
<?php
}

?>

    How do I filter the content going into the database from the form fields? Code examples/modifications would be particularly welcome!

  2. ninjaboy
    Member
    Posted 2 years ago #

    OK, more research and trial and error (mostly error!).

    Should I be using wp_nonce_field, wp_nonce_url, check_admin_referer, functions when saving options that depend on user input?

    What functions should/can I use to sanitize the input?

    I hope someone in the WP community notices this and throws in a suggestion - especially if it was implemented in the code above, "Hello World" I can understand!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags