WordPress.org

Ready to get started?Download WordPress

Forums

Plugin security - how to filter form content for database? (2 posts)

  1. ninjaboy
    Member
    Posted 6 years ago #

    I have followed this great tutorial on how to create a plugin with an options page. It has taught me a-lot of new things!

    However, it states that you should put "some input validation" on the form fields in the administration page. The form fields allow the user to change 2 options values held in the database.

    The code I have build (slightly modified from the example is shown below:

    <?php
    /*
    Plugin Name: Hello World Test
    Plugin URI: http://www.wordpress.org
    Version: 0.1
    License: GPL
    Description: A simple plugin build test with admin page
    Author: WordPress
    Author URI: http://www.wordpress.org
    */
    
    /*
    === RELEASE NOTES ===
    10.11.2007 - v0.1 - first version released
    */
    
    // FUNCTIONS
    
    function say_hello() {
    	$greeting = get_option('hello_greeting');
    	$target = get_option('hello_target');
    	print "$greeting $target";
    }
    
    function set_hello_options() {
    	add_option('hello_greeting','hello','What to say');
    	add_option('hello_target','world','To whom to say');
    }
    
    function unset_hello_options() {
    	delete_option('hello_greeting');
    	delete_option('hello_target');
    }
    
    function update_hello_options() {
    	$ok = false;
    
    	//INPUT VALIDATION REQUIRED
    	if ($_REQUEST['hello_greeting']) {
    		update_option('hello_greeting',$_REQUEST['hello_greeting']);
    		$ok = true;
    	}
    
    	if ($_REQUEST['hello_target']) {
    		update_option('hello_target',$_REQUEST['hello_target']);
    		$ok = true;
    	}
    
    	if ($ok) {
    	?>
    	<div id="message" class="update fade"><b>Options saved.</b>
    </div>
    	<?php
    	}
    	else {
    	?><div id="message" class="error fade">
    	Failed to save options - ensure you have something filled into each field please!
    
    	</div><?php
    	}
    }
    
    // INSTALL OR CLEANUP
    
    register_activation_hook(__FILE__,'set_hello_options');
    register_deactivation_hook(__FILE__,'unset_hello_options');
    
    // ADMIN MENU FORM
    
    function print_hello_form() {
    	$default_greeting = get_option('hello_greeting');
    	$default_target = get_option('hello_target');
    	?>
    
    	<form method="post">
    	<fieldset><legend>Greeting</legend>
    		<input type="text" name="hello_greeting" value="<?=$default_greeting?>">
    	</fieldset>
    	<fieldset><legend>Target</legend>
    		<input type="text" name="hello_target" value="<?=$default_target?>">
    	</fieldset>
    
    	<input type="submit" name="submit" value="Submit Changes" class="button"/>
    	</form>
    	<?php
    }
    
    // ADMIN MENU CONFIGURATION
    
    add_action('admin_menu','modify_menu');
    
    function modify_menu() {
    	add_options_page(
    						'Hello World Options',	//page title
    						'Hello World',			//sub-menu title
    						'manage_options',		//access/capability
    						__FILE__,				//file
    						'admin_hello_options'	//function
    					);
    }
    
    function admin_hello_options() {
    
    if ( !current_user_can('manage_options') )
    wp_die(__('You do no have permission to access this page.'));
    
    ?>
    <div class="wrap"><h2>Hello World Options</h2>
    
    <?php
    
    if ($_REQUEST['submit']) {
    	update_hello_options();
    }
    
    print_hello_form();
    ?>
    
    <h2>Output Preview</h2>
    
    	<b>Your site will display the following:</b>
    
    	<?PHP
    	$greeting = get_option('hello_greeting');
    	$target = get_option('hello_target');
    	print "$greeting $target";
    	?>
    
    </div>
    <?php
    }
    
    ?>

    How do I filter the content going into the database from the form fields? Code examples/modifications would be particularly welcome!

  2. ninjaboy
    Member
    Posted 6 years ago #

    OK, more research and trial and error (mostly error!).

    Should I be using wp_nonce_field, wp_nonce_url, check_admin_referer, functions when saving options that depend on user input?

    What functions should/can I use to sanitize the input?

    I hope someone in the WP community notices this and throws in a suggestion - especially if it was implemented in the code above, "Hello World" I can understand!

Topic Closed

This topic has been closed to new replies.

About this Topic