Support » Plugin: Similar post-title checker » Exclude self and security

  • Hello,

    Great plugin, but I have few propositions for it.

    First of all it’s security. I believe
    $sptitle = $_POST['sptitle'];

    should become
    $sptitle = esc_sql(sanitize_text_field($_POST['sptitle']));

    And the second issue, is that the current post will be shown in the similar list. To avoid this behavior I sent post_id:

    jQuery("#title").on('keyup', function(){
    	jQuery("#spresulte").html('<div class="spinner"></div>');
    	var sptitle = jQuery(this).val();
    	var post_id = jQuery("#post_ID").val();,{sptitle:sptitle, post_id: post_id, action:'sp_ajax_hook'},function(t){
    		var e=t.substr(0,t.length-1);

    and then exclude it from the query:

    if($_POST['sptitle'] != ''){
    		$sptitle = esc_sql(sanitize_text_field($_POST['sptitle']));
    		$post_id = (int)$_POST['post_id'];
    		$splimit = get_option( 'sp_screen_options_limit', 10);
    		$spminchar = get_option( 'sp_screen_options_minchar', 3);
    		$splen = mb_strlen($sptitle);
    		if($splen >= $spminchar){
    			$sql = "
    				SELECT *
    				FROM ".$wpdb->prefix."posts
    					post_title like '$sptitle%'
    					AND ID != '".$post_id."'
    					AND post_status = 'publish'
    				limit 0,$splimit";
    			$results = $wpdb->get_results( $sql );
    			#echo "<xmp>".print_r($results, true)."</xmp>";
    			$out = '';
    				$out .= "<ul class='postbox'>";
    				foreach($results as $result){
    					if(in_array($result->post_type, $post_types)){
    						$out .=  "<li><a href='".home_url()."/wp-admin/post.php?post=".$result->ID."&action=edit' target='_blank'>".$result->post_title."</a> [".$result->post_type."]</li>";
    				$out .= "</ul>";
    			echo $out;

    Hope this would help to make plugin better. Please let me know if you have github or bitbucket.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Exclude self and security’ is closed to new replies.