Support » Developing with WordPress » WordPress API vs JavaScript to PHP

  • Resolved Northern Beaches Websites

    (@northernbeacheswebsites)



    At the moment I have a few plugins which are pretty frontend heavy and allow end users to create WordPress items, mainly users and posts and custom posts with custom fields. At the moment I achieve this using forms/buttons etc. and send the data from JavaScript to PHP using wp_ajax_nopriv and then call standard WordPress functions to achieve certain actions with a lot of sanitization and validation beforehand.

    I am considering moving some of this to the WordPress API in the hope it may make the code simpler – so creating API requests in JavaScript and not sending anything to PHP.

    I just wanted to get people’s opinions on the pros and cons of these 2 approaches particularly in regards to speed and also security. Like do you need to be as cautious in regards to sanitization and validation when working with the WordPress API or does it just reject any junk sent to it. Do I even need to sanitize and validate data when using the WordPress API?

    Thanks,

Viewing 3 replies - 1 through 3 (of 3 total)
  • I am considering moving some of this to the WordPress API in the hope it may make the code simpler – so creating API requests in JavaScript and not sending anything to PHP.

    The REST API is part of the WordPress core. It’s PHP. The only difference between it and admin-ajax.php (from this standpoint, anyway) is how they are accessed. Both load a full copy of WordPress, including the theme and plugins.

    Your code will be simpler by using the REST API to replace functions you’ve already written. But you pay a pretty big price for that convenience. Since a full copy of WordPress is loaded and executed for each REST API call, your site will be slower, and it will use more server resources. (This is the reason why recent versions of a certain unnamed plugin are causing people to be kicked off their shared hosting due to excessive entry processes.)

    Moderator bcworkz

    (@bcworkz)

    What’s going to be most efficient is whatever takes the fewest requests sent to WP. You’ll want to avoid how often WP has to be loaded to do anything. REST and/or Ajax can make for a nice interactive user experience, but it can be hard on the server, especially if it’s carrying a heavy load anyway. What’s really most efficient if you need to load WP anyway is the old fashioned collect everything on a form and submit it all at once for processing. You can still use Ajax if you want, provided all the data is passed at once and handled all at once. It’s the repeated requests every time the user clicks something that will drag down the server.

    If you can manage everything in a single API request, then it would also be a reasonable approach. If you defined your own route/endpoint, this might be possible. Very unlikely if you rely upon the default endpoints. If you can reduce the number of requests to one, it doesn’t really matter how you send the data. Do whatever you are most comfortable with.

    The API does only minimal sanitation, basically addslashes(). Client side sanitation is unreliable. Ideally, you should add more targeted sanitation and validation through filters like “rest_pre_insert_post”.

    Thanks @diondesigns and @bcworkz definitely some things I need to think through!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.