WordPress.org

Ready to get started?Download WordPress

Forums

Pass custom _GET url variable into page template (7 posts)

  1. godsdead
    Member
    Posted 5 months ago #

    I have a custom page that I want to pass a custom variable "player" into the page to populate an Iframe URL to get user statistics from an external source, I found this as my guidelines, But It's not picking up anything I put as /?player=username only the fallback username "playerusername" in this case.

    http://codex.wordpress.org/Function_Reference/get_query_var

    This is my page source:

    <?php
    /*
    Template Name: PlayerStats
    */
    ?>
    <?php get_header(); ?>
    <?php
    function add_query_vars_filter( $vars ){
      $vars[] = "player";
      return $vars;
    }
    add_filter( 'query_vars', 'add_query_vars_filter' );
    ?>
    
    <div id="content">
    
        <?php if(have_posts()) while(have_posts()) : the_post(); ?>
        <div id="post-<?php the_ID(); ?>" class="entry">
            <h1 class="title"><?php the_title(); ?></h1>
    
            <div class="content">
            <?php  $player = (get_query_var('player')) ? get_query_var('player') : playerusername;  ?>
    
    		<h2>Viewing PirateCraft Player <?php echo $player; ?></h2>
    			<iframe src="http://stats.piratemc.com/single_player.php?p=<?php echo $player; ?>" width="100%" height="1200" scrolling="no" class="iframe-class" frameborder="0"></iframe><br />
    
                <?php the_content(); ?>
                <?php wp_link_pages(array('before' => '<div class="page-link">'.__('Pages', 'cpotheme').':', 'after' => '</div>')); ?>
            </div>
        </div>
    
        <?php endwhile; ?>
    </div>
    
    <?php get_sidebar(); ?>
    <?php get_footer(); ?>
  2. Christian1012
    Member
    Posted 5 months ago #

    Filtering your query vars on the page template may be too late. Try adding that code into your functions.php file, which gets called much earlier, and you may have more success.

  3. godsdead
    Member
    Posted 5 months ago #

    Yes! This worked, Thank you.

    The problem I see if that the variable takes anything I throw at it, So if I put in html, that is injected into my page. How can I filter this out? Since I only need usernames?

  4. Jose Castaneda
    Member
    Posted 5 months ago #

    One thing I can think of would be kses or validating/sanitizing

  5. godsdead
    Member
    Posted 5 months ago #

    Yes, I found sanitize_user( $player, true )
    But Im not sure where to put it, I tried it in the function add_query_vars_filter which is now in the functions.php but that broke the script & the website.

    I tried it in the custom page too, like this:

    <?php $player = (get_query_var('player')) ? get_query_var('player') : playerusername;  ?>
    <? sanitize_user( $player, true ) ?>
  6. godsdead
    Member
    Posted 5 months ago #

    Alright I figured it out, But Im still stuck on how to pass the $strict = false into this statement

    <?php $player = sanitize_user((get_query_var('player')) ? get_query_var('player') : playerusername) ?>

  7. keesiemeijer
    moderator
    Posted 5 months ago #

    If "playerusername" is a variable change it to $playerusername. If it's a string change it to 'playerusername'

    $strict is set to false by default. If you want to change it to true, try:

    <?php
    $user = ( get_query_var('player') ) ? get_query_var('player') : 'playerusername';
    $player = sanitize_user($user, true);
    ?>

    If the player is a also user of your site you could do more validation:
    http://codex.wordpress.org/Function_Reference/username_exists

    Or whitelist it against an array with known player names?
    http://codex.wordpress.org/Data_Validation#Whitelist

    To escape the iframe url change this:

    <iframe src="http://stats.piratemc.com/single_player.php?p=<?php echo $player; ?>" width="100%" height="1200" scrolling="no" class="iframe-class" frameborder="0"></iframe><br />

    to:

    <iframe src="<?php echo esc_url( 'http://stats.piratemc.com/single_player.php?p=' . $player ); ?>" width="100%" height="1200" scrolling="no" class="iframe-class" frameborder="0"></iframe><br />

Reply

You must log in to post.

About this Topic

Tags

No tags yet.