Exclude self and security
-
Hello,
Great plugin, but I have few propositions for it.
First of all it’s security. I believe
$sptitle = $_POST['sptitle'];should become
$sptitle = esc_sql(sanitize_text_field($_POST['sptitle']));And the second issue, is that the current post will be shown in the similar list. To avoid this behavior I sent post_id:
jQuery("#title").on('keyup', function(){ jQuery("#spresulte").html('<div class="spinner"></div>'); var sptitle = jQuery(this).val(); var post_id = jQuery("#post_ID").val(); jQuery.post(ajaxurl,{sptitle:sptitle, post_id: post_id, action:'sp_ajax_hook'},function(t){ var e=t.substr(0,t.length-1); jQuery("#spresulte").html(e); jQuery('#spresulte').highlight(sptitle); }) });and then exclude it from the query:
if($_POST['sptitle'] != ''){ $sptitle = esc_sql(sanitize_text_field($_POST['sptitle'])); $post_id = (int)$_POST['post_id']; $splimit = get_option( 'sp_screen_options_limit', 10); $spminchar = get_option( 'sp_screen_options_minchar', 3); $splen = mb_strlen($sptitle); if($splen >= $spminchar){ $sql = " SELECT * FROM ".$wpdb->prefix."posts WHERE post_title like '$sptitle%' AND ID != '".$post_id."' AND post_status = 'publish' limit 0,$splimit"; $results = $wpdb->get_results( $sql ); #echo "<xmp>".print_r($results, true)."</xmp>"; $out = ''; if(!empty($results)){ $out .= "<ul class='postbox'>"; foreach($results as $result){ if(in_array($result->post_type, $post_types)){ $out .= "<li><a href='".home_url()."/wp-admin/post.php?post=".$result->ID."&action=edit' target='_blank'>".$result->post_title."</a> [".$result->post_type."]</li>"; } } $out .= "</ul>"; } echo $out; } }Hope this would help to make plugin better. Please let me know if you have github or bitbucket.
https://www.ads-software.com/plugins/similar-post-title-checker/
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘Exclude self and security’ is closed to new replies.
