WordPress.org

Ready to get started?Download WordPress

Forums

Code Snippets
Plugin uses eval() - security concern (3 posts)

  1. WebEndev
    Member
    Posted 1 year ago #

    Hi Shea,

    I noticed that the plugin uses eval(), and while my skills in PHP wouldn't be classified as 'expert', from what I understand this is a security concern.

    The plugin stores the snippets as text data directly in the database, and then executes them from there. While this is probably great from a performance standpoint, it opens the door to security risks, and also if you would happen to get a bad snippet, it could shut down your site (of course you could FTP into the site and remove/rename the plugin to fix it).

    I do love the way the snippets are stored and organized in the WP admin. But maybe there is a better way doing this?

    Thanks

    http://wordpress.org/extend/plugins/code-snippets/

  2. Shea Bunge
    Member
    Plugin Author

    Posted 1 year ago #

    Perhaps...

    If you have a better way to store and execute snippets, let me know. I will also have a think about it.

    There is a way to stop snippets from executing, while keeping the Code Snippets plugin active (so you can go in and deactivate the faulty snippet); read more here.

    To do this, add the line
    define('CS_SAFE_MODE', true);
    to your wp-config.php file.

  3. Shea Bunge
    Member
    Plugin Author

    Posted 1 year ago #

    Please discard the above post

    Perhaps…

    If you have a better way to store and execute snippets, let me know. I will also have a think about it.

    There is a way to stop snippets from executing, while keeping the Code Snippets plugin active (so you can go in and deactivate the faulty snippet); read more here.

    To do this, add the line
    define('CODE_SNIPPETS_SAFE_MODE', true);
    to your wp-config.php file.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags