[Plugin: Code Snippets] Plugin uses eval() – security concern

  • WebEndev

    (@munman)


    11 years, 7 months ago

    Hi Shea,

    I noticed that the plugin uses eval(), and while my skills in PHP wouldn’t be classified as ‘expert’, from what I understand this is a security concern.

    The plugin stores the snippets as text data directly in the database, and then executes them from there. While this is probably great from a performance standpoint, it opens the door to security risks, and also if you would happen to get a bad snippet, it could shut down your site (of course you could FTP into the site and remove/rename the plugin to fix it).

    I do love the way the snippets are stored and organized in the WP admin. But maybe there is a better way doing this?

    Thanks

    http://wordpress.org/extend/plugins/code-snippets/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Shea Bunge

    (@bungeshea)

    11 years, 7 months ago

    Perhaps…

    If you have a better way to store and execute snippets, let me know. I will also have a think about it.

    There is a way to stop snippets from executing, while keeping the Code Snippets plugin active (so you can go in and deactivate the faulty snippet); read more here.

    To do this, add the line
    define('CS_SAFE_MODE', true);
    to your wp-config.php file.

    Plugin Author Shea Bunge

    (@bungeshea)

    11 years, 3 months ago

    Please discard the above post

    Perhaps…

    If you have a better way to store and execute snippets, let me know. I will also have a think about it.

    There is a way to stop snippets from executing, while keeping the Code Snippets plugin active (so you can go in and deactivate the faulty snippet); read more here.

    To do this, add the line
    define('CODE_SNIPPETS_SAFE_MODE', true);
    to your wp-config.php file.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Code Snippets] Plugin uses eval() – security concern’ is closed to new replies.

Tags