Using GUIDs for image URL

  • Resolved Dustin Filippini

    (@dustyf)


    10 years, 3 months ago

    I was reviewing your plugin for use on a site. While reviewing the code, I wanted to alert you of one large issue I have found. In your function, z_get_attachment_id_by_url(), you are performing a wpdb query to find the id of the image by looking for the URL.

    The first issue is that you are checking the GUID of the post to try finding the ID. The problem with this is that if a site were to change URLs, the GUID of a post would not necessarily change. The GUID is a unique identifier for each post and not a data store for the URL. (info here: http://codex.wordpress.org/Changing_The_Site_URL#Important_GUID_Note ). This means this could break for people who change URLs or switch between local development and live server.

    Second, when you are performing the wpdb query, you should use $wpdb->prepare on your query statement to protect against SQL injection attacks. (See: http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks ).

    I would get around doing a direct database query at all and maybe have the plugin store the ID of the attachment in the options table rather than the full URL. Then you should be able to use that to get what you need with only WordPress functions.

    http://wordpress.org/plugins/categories-images/

Viewing 1 replies (of 1 total)
  • Plugin Author Muhammad

    (@elzahlan)

    10 years, 3 months ago

    Thanks, and really appreciate your help.

    I just want to explain something here, if you reviewed the plugin again you will find that I’m using 2 option for saving the image url:

    1- If the image was hosted on the website server then I’m saving the full url in an option then use this url to be able to get this specific image later on to get the selected size then display the image after querying it from the database to get all sizes of this image.
    2- If the image was saved on another server, in this case also I’m using the full url as the category image, but for sure using this option will automatically disable the resize option as the image is not hosted on the website.

    Using the GUID is so quick and easy to directly get the selected image but yeah for sure this had to be changed from local to online. If you reviewed most of the comments and the support forum for the GUID issue in my plugin you will find some people already mentioned that before, and I noticed them all that they have to change the url if they were using the plugin in localhost.
    I had avoided saving the ID as on option to make the user free to choose weather using the local images or a hosted ones online. In my opinion this better.

    About using $wpdb->prepare, for sure I will do that fix this bug in the next update for the plugin and thanks so much for reporting this bug.

    Thanks so much.

Viewing 1 replies (of 1 total)
  • The topic ‘Using GUIDs for image URL’ is closed to new replies.