I am a new WordPress plugin developer. I tried submitting my plugin in WordPress repository, but recieved an error from the review team. The error is like
Data Must be Sanitized, Escaped, and Validated
When you include POST/GET/REQUEST/FILE calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues. Below are the paths they mentioned:
woolive/templates/livecall.php:18: $prodid = $_GET['id'];
woolive/admin/register.php:201: $prodid = (isset($_GET['id']) && !empty($_GET['id'])) ? $_GET['id'] : "";
woolive/admin/settings.php:20: update_option('button_loc_shop_page', $_POST['button_loc_shop_page']);
woolive/admin/settings.php:28:
update_option('button_loc_product_details_page', $_POST['button_loc_product_details_page']);
woolive/admin/settings.php:30: update_option( 'loginpage_slug', $_POST['loginpage_slug'] );
woolive/admin/settings.php:31: update_option( 'howtojoinpage_slug', $_POST['howtojoinpage_slug'] );
Anyone can share how can I do that? Any comments or directions would be really appreciated.
Related
I'm quite new to Wordpress, so please forgive me and correct any mistake I'm making, I'm willing to learn and improve :)
I set up multiple contact forms for applying to fitness courses. People need to fill them, and I get an email with their written data.
What I'm trying to do now is execute some PHP code that writes data into a MySQL database whenever the user correctly fills and sends a contact form.
I also need every contact form to have a unique code "attached" to it, because the PHP code needs this code to write the data inside the database. (simply put, every course has its unique code that i need to write in the database along with the user's data).
So far as I understand, I need to use add_action( 'wpcf7_before_send_mail', 'my_function' ); in a snippet inside functions.php. What I'm trying to achieve now is to attach this code to every contact form (but it mustn't be visible to users) so that my php snippet reads this code and correctly edits the database.
Any clue on where to look? I don't need the code written, just some ideas!
Thank you in advance, have a nice day everybody.
EDIT: I found out there are "hidden fields" in CF7. So, i added these to my test contact form:
[hidden idcorso "6"]
[hidden idgruppo "0"]
Then i'm using this snippet, but it doesn't work:
add_action( 'wpcf7_before_send_mail', 'process_contact_form_data' );
function process_contact_form_data( $contact_data ){
$idcorso = $contact_data->posted_data["idcorso"];
$idgruppo = $contact_data->posted_data["idgruppo"];
if (is_user_logged_in()) {
$idutente = get_current_user_id();
$data = current_time('d-m-Y - g:i');
$stato = 1;
$wpdb->insert("fis_iscrizioni_2018", array('id_utente' => $idutente, 'id_corso' => $idcorso, 'data' => $data, 'stato' => $stato, 'id_gruppo' => $idgruppo) );
}
}
Any clue?
I have written an action that attaches to woocommerce_order_status_completed, and it works fine, adding a bit of meta data to the order. But the email that goes out after order completed seems to go BEFORE this runs, and therefore does not send the meta data in question (it will send it if I rerun the completed order again, but that is because this data is now already in the DB). So what I am looking for is either:
a hook that runs JUST before the completed email sends, OR
a way to have the completed email send AFTER woocommerce_order_status_completed hook
Any ideas or pointers? I looked through the Woocommerce API reference but can't find anything that seems to suit.
UPDATE: found an earlier hook and tried hooking it into
add_action( 'woocommerce_order_status_completed_notification','mysite_woocommerce_order_status_completed',5,1 );
which should run sooner, but STILL the email goes out first (before the meta data is in the DB and can be read. If I "recomplete" the order (putting it back into processing status and then completed again), it will send the meta data (again, this is because it is now in the db)
After much hair pulling, I have come up with a workaround which seems kind of ugly, but hopefully it will help someone else out.
I verified that my hook WAS correctly running before the main email one. (using add_action( 'woocommerce_order_status_completed_notification','mysite_woocommerce_order_status_completed',5,1 );
)
I verified that my meta data WAS correctly inserted into the db BEFORE the email went out
Unfortunately, it still refused to grab my meta data on first send. So I did the following:
I copied the woocommerce/templates/emails/email-order-items.php template into my theme and made the following change:
// Variation
if ( ! empty( $item_meta->meta ) ) {
echo '<br/><small>' . nl2br( $item_meta->display( true, true, '_', "\n" ) ) . '</small>';
// following 5 lines are MY extra code (checking for my meta field 'signup_code')
if (!array_key_exists('signup_code',$item_meta->meta)) {
$suc = wc_get_order_item_meta( $item_id, 'signup_code' );
if ($suc) {
echo '<br/><small>signup_code: ' . $suc . '</small>';
}}
}
It will check for a dupe in the meta array and not output if it already exists. It needs to do this to prevent it showing twice (which it would otherwise do on second send). I can't believe this is all necessary, but I can't find any other pointers anywhere that can address this.
UPDATE:
This was apparently caused by a woo internal caching problem. I had a lengthy discussion with one of the woo devs here:
https://wordpress.org/support/topic/hook-an-action-before-transactional-woocommerce-emails-are-triggeredsent-out/page/2?replies=40#post-8379725
And the upshot is, it will be fixed in a future version, but you can see the changes here:
https://github.com/woothemes/woocommerce/commit/3db3f3796eb28fb79983f605a5a70d61ca114c6d
First of all, I'm not a security expert and new to form validation, password storing and wp plugin development. Any wp plugin tutorial I've been looking at never had a chapter about API passwords. Googling for wordpress password issues didn't return any satisfying results. So that's why I'm asking here.
I want to create a custom Wordpress Plugin which works with a Soap API of another page. To use the Soap API a login is needed. So the Wordpress built in functions add_option(), update_option() and get_option() are all working with plain text.
But I know that in the wp_config file authentication keys can be saved. But how to use them in an option page form to encrypt the password? And would it be possible just to store them in the database, decrypt it and use it in the backend but not showing it on the options page if the user visits that page again. So that the password field just has some black spots in it (not the same amount of the chars of the pass) and the password option only is updated if something is written into that field.
Normally the code is like this:
register_setting( 'my_plugins_option', 'my_options', 'my_validation_function' );
$options = array(
'user' = > 'name',
'password' = > 'pass',
//... other options
)
update_option( 'my_plugins_option', $options );
But how could I make this more secure? I've seen many plugin examples but nothing was about storing passwords. I'm looking for something like this:
function my_validation_function($input){
if($input['password']=='•••••'){
//use the default value of the database if nothing was changed
$old_options=get_option('my_plugins_option');
$input['password']=some_decrypting_function($old_options['password']);
}
else{
//use the password sent from the form
$password=esc_sql(some_encrypting_function($input['password']));
}
// ... validate the other inputs
update_option( 'my_plugins_soap_api_pass', $password );
}
P.S.: This code is not tested yet of course because I don't know how to work with passwords in wordpress plugins and so I wanted to ask for the best practices first.
The other question is: If the modified version of the code from above would work and the password is saved once and never loaded into the Dashboard frontend again (just showing this: '•••••' once typed in) would it be save to work with the get_option() function, decrypt the password and use it in the backend?
Here are a couple recommendations. They aren't specific to WP, but can apply.
1) Save an encrypted password in the options table (use whatever encrypting function you want, just don't write your own)
2) In the options page, simply do NOT output the password. Leave that field blank, and don't require it to be entered if there is already a password stored in the database.
3) Only decrypt the password retrieved from the options table just prior to actually needing it in code.
I had to add a WordPress installation to my CodeIgniter system, so I've put it in a submap called blog and excepted that folder in my .htaccess. All good and well.
I've put the all WordPress tables together with in my CodeIgniter databases with prefix _wp.
I've now loaded the WordPress blog header file into the index.php of CodeIgniter, like so;
require('blog/wp-blog-header.php');
add_filter('site_url', 'ci_site_url', 1);
function ci_site_url() {
include(FCPATH.'/application/config/config.php');
return $config['base_url'];
}
And made a registration method in my Account controller to make an actual link to my Customers. I do this because I want to make the WordPress login/registration obsolete and solely control that from the CodeIgniter login page;
protected function register_wp($email_address = FALSE) {
if ($email_address !== FALSE) {
if (username_exists( $email_address ) == NULL) {
$password = wp_generate_password(12, TRUE);
$user_id = wp_create_user($email_address, $password, $email_address);
wp_update_user(array(
'ID' => $user_id,
'nickname' => $email_address
));
$user = new WP_User($user_id);
$user->set_role('subscriber');
$login_data = array(
'user_id' => $user_id,
'password' => $password,
);
return $login_data;
}
else {
// User already exists with that email address
return FALSE;
}
}
else {
// No email_address given
return FALSE;
}
}
And the login method, to give an idea;
protected function login_wp($user_id = FALSE) {
if ($user_id !== FALSE) {
$user_login = 'admin';
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
else {
// No user_id given
return FALSE;
}
}
All still going well. But here comes the clash; something I was very sad about because everything worked very well up until now:
WordPress overtakes the session and kills CodeIgniter's session.
I already tried tons of things;
session_rename('PHPSESSIDWP'); and then starting another session (with another name) for CodeIgniter after WordPress was loaded
COOKIE path (I'm not 100% sure if I done this right, as it didn't change at all. Read some things online it doesn't work well in all browsers either)
COOKIE domain (seemed to have no effect)
The problem is I can't load the require('blog/wp-blog-header.php'); only in the controller method, as I need to be able to control the logged in state of the WordPress part. Besides that I will get complaints about the site_url() function, that's already claimed by the URL helper.
I think the problem is mainly because both CodeIgniter and WordPress use their own unique way of handling Sessions (CI in the Database and WordPress in "super globals") which probably only makes them use the cookie to remember a "state".
My whole CodeIgniter system already runs on the Database-driven Session models so that's an absolute no-go to make a switch. For WordPress it seems it can't even work with session anymore with it's code features (I know session "do" work, but that doesn't seem to count in any way for the WP core system).
Also I quoted out wp_unregister_GLOBALS(); in the wp-settings.php file.
Plus that I also tried to rename my session COOKIE name in CodeIgniter to use something like session_ci
I really hope someone knows a way to being able to tell CodeIgniter or WordPress to only update their values and don't kill the whole session each time. I also read something about splitting up cookies with .htaccess but can't find good resources on it. So if anyone knows how to do that, I would be eternally grateful.
I'm in despair. Finishing it for 98% and then getting such a letdown in the end :(..
Update
Maybe I can do something in the WordPress section that handles the cookies?
http://codex.wordpress.org/Function_Reference/wp_set_auth_cookie
Sadly I'm not really home in the WordPress world. I solely have to use it this one time due to the bought template that the people really wanted to use in the blog.
Also this page states the following;
WordPress uses the two cookies to bypass the password entry portion of wp-login.php. If WordPress recognizes that you have valid, non-expired cookies, you go directly to the WordPress Administration interface. If you don't have the cookies, or they're expired, or in some other way invalid (like you edited them manually for some reason), WordPress will require you to log in again, in order to obtain new cookies.
I wonder tho, how to bypass that "invalid" check, which probably is the reason it kills the CodeIgniter cookie(s)? Weirdly enough tho, it seems the session_ci value stays, although the session still seems killed.
You need to put your session start at the very top of config.php.
This is the only place a session will not be destroyed by WordPress.
if (!session_id())
session_start();
If your PHP installation does not have register_global enabled, the
above code should allow you to use session, however, if it does, you
will not be able to get the data that was set in previous request.
This is because WordPress will destroy all data contained inside
session variable when it does the initialization.
Here's why and troubleshooting on this -> kanasolution.com
EXPANDED ANSWERS:
Source: http://codex.wordpress.org/WordPress_Cookies
On login, wordpress uses the wordpress_[hash] cookie to store your
authentication details. Its use is limited to the admin console area,
/wp-admin/
After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you're logged in, and who you are, for
most interface use.
So WordPress clearly dislikes the way that you're writing cookies, maybe their lack of 8 pass MD5 hash etc? WordPress encryption methods
The WordPress Environment
The next thing I would try is integrating your custom login page into the WordPress environment instead of just requiring the header. (lets stay away from editing core)
From WordPress & AJAX by Ronald Huereca page 78 explains manually loading the WordPress environment.
The use of the dirname functions depend on the hierarchy of your file. Adjust them as needed. Code should be used before the tag of your file.
$root = dirname(dirname(dirname(dirname(dirname(__FILE__)))));
if (file_exists($root.'/wp-load.php')) {
require_once($root.'/wp-load.php');
/*Run custom WordPress stuff here */
//Output header HTML, queue scripts and styles, and include BODY content
wp_enqueue_script('my_script', get_stylesheet_directory_uri() . '/my_script.js', array('jquery'), '1.0.0');
wp_print_scripts(array('my_script'));
}
I am currently working on a project based on Symfony 1.4. I am using the sfDoctrineGuardPlugin to authenticate my two kinds of users : users and admins. For each module and each action in a module, I am using credentials to prevent unauthorized actions execution.
But I am facing a problem : if an user wants to edit a project, for example, the URL will look like frontend.php/project/edit/id/1. Here, we suppose that the project #1 belongs to him. Now, let's suppose that project #2 does not belong to him. If he types the URL frontend.php/project/edit/id/2, he will have access to the edit form, and will be able to edit a project that does not belong to him.
How can I prevent that behaviour ?
I would like to avoid verifying the ownership of each editable model before displaying the edit form... But can I do differently ?
Do you have any good practice or advices to prevent this behaviour ?
Thanks a lot !
Since you will have to check in the projet to know if the current user is allowed to edit the project, I don't think you will have other way than verifying before the edit, in the action part. Why don't you want to do it this way?
This check can be done inside the preExcute function:
public function preExecute()
{
$request = $this->getRequest()
if ($request->hasParameter('id'))
{
$project = Doctrine_Core::getTable('Project')->find($request->getParameter('id'));
$user_id = $this->getUser()->getGuardUser()->getId();
$this->forward404If(
$project->getUserId() !== $user_id,
'User #'.$user_id.' is not allowed to edit project #'.$project->getId()
);
}
}