While writing on a plug-in, I encountered some kind of a problem. It isn’t really a security issue, but it can seriously mess up a blog.
While saving options, there are no tests wether the entered values have the correct type.
e.g. if I choose to have the value “xyz” for the “posts_per_page”, there is no real control on wether it is a numeric value or not.
It gives (of course!) an error while viewing the site, because some bogus value was inserted in the SQL-query.
In the options-table, there is a field “option_type”, but that’s never used. It is fetched once from MySQL but not even used that time. maybe it’s the intention to use it for this kind of security purpose.
but maybe I’m just paranoid and is there no need to worry about it at all…
that’s exactly my point. I was working on a script to save the options of my plug-in. At the moment it’s a self-submitting script, as proposed in the codex, with all the necessary checks and everything. But I wanted to find out how it’s done by WP itself, sending all its forms to this 1 page to get the changes processed.
Any plugin can save options easily, sending them to wp-admin/options.php with the page_options set to which options are on the page and have to be updated in the database. This is how it’s done by _all_ the options-pages of WP itself (reading, writing, general, …)
it’s just an opportunity to get this checks done in this one page. Then you should only declare the desired type as an extra parameter in the “add_options”-function. No more worries for plugin-developers to check these values in their own script.
Viewing 2 replies - 1 through 2 (of 2 total)
The topic ‘saving options -> checking values/types’ is closed to new replies.