WordPress.org

Ready to get started?Download WordPress

Forums

Is this an exploit in Post Thumb Revisited? (19 posts)

  1. powerkor
    Member
    Posted 5 years ago #

    /***********************************************************************************/
    
    /* get_posts hack
    
    /***********************************************************************************/
    
    function pt_get_posts($args) {
    
    	global $wpdb;
    
    	$defaults = array(
    
    		'showposts' => 5, 'offset' => 0,
    
    		'cat' => '', 'orderby' => 'post_date',
    
    		'order' => 'DESC', 'include' => '',
    
    		'exclude' => '', 'meta_key' => '',
    
    		'meta_value' =>'', 'post_type' => 'post',
    
    		'post_status' => 'publish', 'post_parent' => 0
    
    	);
    
    	$r = wp_parse_args( $args, $defaults );
    
    	extract( $r, EXTR_SKIP );
    
    	$showposts = (int) $showposts;
    
    	$ecat = explode(',', $cat);
    
    	$ducky = (int) $ecat[0];
    
    	if ($ducky < 0) $exclcat = 'NOT '; else $exclcat = '';
    
    	$cat = implode(',',$ecat);
    
    	$offset = (int) $offset;
    
    	$post_parent = (int) $post_parent;
    
    	$inclusions = '';
    
    	if ( !empty($include) ) {
    
    		$offset = 0;    //ignore offset, category, exclude, meta_key, and meta_value, post_parent if using include
    
    		$cat = 0;
    
    		$exclude = '';
    
    		$meta_key = '';
    
    		$meta_value = '';
    
    		$post_parent = 0;
    
    		$incposts = preg_split('/[\s,]+/',$include);
    
    		$showposts = count($incposts);  // only the number of posts included
    
    		if ( count($incposts) ) {
    
    			foreach ( $incposts as $incpost ) {
    
    				if (empty($inclusions))
    
    					$inclusions = ' AND ( ID = ' . intval($incpost) . ' ';
    
    				else
    
    					$inclusions .= ' OR ID = ' . intval($incpost) . ' ';
    
    			}
    
    		}
    
    	}
    
    	if (!empty($inclusions))
    
    		$inclusions .= ')';
    
    	$exclusions = '';
    
    	if ( !empty($exclude) ) {
    
    		$exposts = preg_split('/[\s,]+/',$exclude);
    
    		if ( count($exposts) ) {
    
    			foreach ( $exposts as $expost ) {
    
    				if (empty($exclusions))
    
    					$exclusions = ' AND ( ID <> ' . intval($expost) . ' ';
    
    				else
    
    					$exclusions .= ' AND ID <> ' . intval($expost) . ' ';
    
    			}
    
    		}
    
    	}
    
    	if (!empty($exclusions))
    
    		$exclusions .= ')';
    
    	$query  = "SELECT DISTINCT * FROM $wpdb->posts ";
    
    	$query .= empty( $cat ) ? '' : ", $wpdb->term_relationships, $wpdb->term_taxonomy  ";
    
    	$query .= empty( $meta_key ) ? '' : ", $wpdb->postmeta ";
    
    	$query .= " WHERE 1=1 ";
    
    	$query .= empty( $post_type ) ? '' : "AND post_type = '$post_type' ";
    
    	$query .= empty( $post_status ) ? '' : "AND post_status = '$post_status' ";
    
    	$query .= "$exclusions $inclusions " ;
    
    	$query .= empty( $cat ) ? '' : "AND ($wpdb->posts.ID = $wpdb->term_relationships.object_id AND $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id AND $wpdb->term_taxonomy.term_id ".$exclcat."IN (" . $cat. ") AND $wpdb->term_taxonomy.taxonomy = 'category') ";
    
    	$query .= empty( $post_parent ) ? '' : "AND $wpdb->posts.post_parent = '$post_parent' ";
    
    	$query .= !empty( $meta_key ) && !empty($meta_value)  ? " AND ($wpdb->posts.ID = $wpdb->postmeta.post_id AND $wpdb->postmeta.meta_key = '$meta_key' AND $wpdb->postmeta.meta_value = '$meta_value' )" : '';
    
    	$query .= !empty( $meta_key ) && empty($meta_value)  ? " AND ($wpdb->posts.ID = $wpdb->postmeta.post_id AND $wpdb->postmeta.meta_key LIKE '$meta_key%' )" : '';
    
    	$query .= " GROUP BY $wpdb->posts.ID ORDER BY " . $orderby . ' ' . $order;
    
    	if ( 0 < $showposts )
    
    		$query .= " LIMIT " . $offset . ',' . $showposts;
    
    	$posts = $wpdb->get_results($query);
    
    	update_post_caches($posts);
    
    	return $posts;
    
    }
  2. powerkor
    Member
    Posted 5 years ago #

    bump

  3. Bump what?

    Do you see something odd in that code...? Or are you just put off by the word "hack"...?

  4. powerkor
    Member
    Posted 5 years ago #

    theres been talk of post-thumb not being safe. I was looking through the code to see if I could find it.

    if you go to the authors site, it has malicious code on the page, and firefox and chrome tells you about it.

    its also mentioned in the post-thumb plugins page on the right sidebar.
    http://wordpress.org/extend/plugins/alakhnors-post-thumb/

    its very concerning... please help :)
    I cant find a good replacement for it.

    All I want to be able to do is to make thumbnails of images that are already in the post. So, I need a plugin that scans the post for the first image and make a thumbnail from it. and call it with the_thumb() or something similar in the loop.

  5. Boris
    Member
    Posted 5 years ago #

    put this in your theme's function.php. It will get the url of the first image in your post:

    // Get URL of first image in a post
    	function catch_that_image() {
    		$first_img = '';
    		ob_start();
    		the_content();
    		$html = ob_get_contents();
    		ob_end_clean();
    		$output = preg_match_all('/<img.+src=[\'"]([^\'"]+)[\'"].*>/i', $html, $matches, PREG_SET_ORDER);
    		$first_img = $matches [0] [1];
    		if(empty($first_img)){
    			$first_img = get_bloginfo('template_url').'/img/default.jpg';
    		}
    		return $first_img;
    	}

    Then output it with something like this:

    <img src="<?php echo bloginfo('template_url'); ?>/scripts/timthumb.php?src=<?php
                        echo catch_that_image() ?>&w=200&h=150&zc=1&q=100" alt="<?php the_title(); ?>" width="200" height="150"  />

    In the example above you can see that the url has timthumb.php in it. It's a brilliant script for resizing images. Just google for it.

  6. powerkor
    Member
    Posted 5 years ago #

    Ive done it but it doesnt seem to be generating the images.

    i have followed the directions and I have php 5.0

    wanna help me out a bit?

    When I look at the source code of the image, it looks like its pointing to the script but its not working?

    This is the error code when I manually try to put the src="" code in the url field in my browser

    Warning: touch() [function.touch]: Unable to create file ./cache/84b35545d46825812a4fb632e05c0492.gif because Permission denied in /home/content/e/w/i/ewiegand/html/inc/php/timthumb.php on line 150

    Warning: Cannot modify header information - headers already sent by (output started at /home/content/e/w/i/ewiegand/html/inc/php/timthumb.php:150) in /home/content/e/w/i/ewiegand/html/inc/php/timthumb.php on line 160

    i created the cache subdirectory in /php/ so its /php/cache/
    everything is 777'd

    not sure what else is wrong, help.

  7. powerkor
    Member
    Posted 5 years ago #

    its giving me all kinds of problems. Its skipping over some images causing it to try to use remotely hosted ones. why? please help.

  8. Boris
    Member
    Posted 5 years ago #

    Put it in your theme folder, that's where I have it. Then read through the instructions on the timthumb homepage. The folder containing timthumb.php has to be 777 as well.

  9. powerkor
    Member
    Posted 5 years ago #

    Yeah. its just not working. Ill try this again some other time... I cant afford for my site to be down for longer than an hour at most.

  10. westondeboer
    Member
    Posted 5 years ago #

    Hi does this not work with 2.7.1?

    Because it isn't returning any results, it is just showing the default image.

    Any Help?

  11. westondeboer
    Member
    Posted 5 years ago #

    // Get URL of first image in a post
    function catch_that_image() {
    global $post, $posts;
    		$first_img = '';
    		ob_start();
    		ob_end_clean();
    		$output = preg_match_all('/<img.+src=[\'"]([^\'"]+)[\'"].*>/i', $post->post_content, $matches);
    		$first_img = $matches [1] [0];
    		if(empty($first_img)){
    			$first_img = "/images/default.jpg";
    		}
    		return $first_img;
    	}

    Works like a charm.

  12. Justin Tadlock
    Member
    Posted 5 years ago #

    Or, you can use the Get the Image plugin, which does all the work for you.

  13. westondeboer
    Member
    Posted 5 years ago #

    why use a plugin when 10 lines of code can do it for me. Much easier, and uses much less computing to not use a plugin and use a direct function.

  14. Justin Tadlock
    Member
    Posted 5 years ago #

    It was just a suggestion. You can either choose to use it or not. It's really up to you.

    While it may be easier for you to create a function in your theme's functions.php file, others prefer the use of plugins.

  15. nlex
    Member
    Posted 4 years ago #

    I would like, too, to avoid Post Thumb revisited in the future because it's not more developed.

    I'm using it, not to generate the thumb (this, i don't care, i prefer to do it by hand) but to display a list of thumbs instead of displaying a list of post, on my site. (i use wordpress as a portfolio site, not as a blog).

    Is there a way i can write a small function to do this ? Problem is i have never done any php and i know nothing about it… :/

  16. westondeboer
    Member
    Posted 4 years ago #

  17. 1xxooxx
    Member
    Posted 4 years ago #

    http://wordpress.org/support/topic/347903

    I just want to do an IF STATEMENT

    //
    look for the custom field "article_thumb" ->>
    if there is no "article_thumb" then look for first image in article
    if there is no image in the article ->>
    set "default.jpg" as the article image.
    end if
    //

    http://wordpress.org/support/topic/347903

  18. archondigital
    Member
    Posted 4 years ago #

    This is what I did on mine see: link

    <?php $postimageurl = get_post_meta($post->ID, 'post-thumb', true);
    if ($postimageurl) {
    ?>
    <img src="<?php bloginfo('url') ?>/wp-content/themes/themename/timthumb.php?src=<?php echo $postimageurl; ?>&h=176&w=136&zc=1&q=100" alt="<?php the_title(); ?>" width="136" height="176"/>
    <?php } else { ?>
    <img src="<?php bloginfo('url') ?>/wp-content/themes/themename/timthumb.php?src=<?php bloginfo('url') ?>/wp-content/uploads/default.jpg&h=176&w=136&zc=1&q=100" alt="<?php the_title(); ?>" width="136" height="176"/></a>
    <?php } ?>

    It allows me to place a default image on if I do not specify a thumbnail. I use custom fields to place URL of my image and timthumb to generate it in different sizes

  19. Mark
    Member
    Posted 4 years ago #

    Avoid Post Thumb Revisited; it may not be dangerous but it certainly is messy and difficult to maintain. You can now easily accomplish by using the built-in thumbnail support in WordPress 2.9. More details here:
    http://markjaquith.wordpress.com/2009/12/23/new-in-wordpress-2-9-post-thumbnail-images/

Topic Closed

This topic has been closed to new replies.

About this Topic