Forum Replies Created

Viewing 15 replies - 1 through 15 (of 92 total)
  • Thread Starter johnywhy

    (@johnywhy)

    Thanks for that.

    How can I prevent someone from changing the default role for new users? Currently, anyone can set it to Admin. I believe that’s a vulnerability.

    Thread Starter johnywhy

    (@johnywhy)

    I’m not asking to exclude specific users.

    I’m asking to exclude all users.

    Thread Starter johnywhy

    (@johnywhy)

    But for your use-case, I think custom post type for team members with the Query Loop block would be best.

    @sc0ttkclark

    Query Loop block is the Answer!

    thx!

    • This reply was modified 1 year, 1 month ago by johnywhy.
    Thread Starter johnywhy

    (@johnywhy)

    I thought you meant, between post-types.

    Can you be a little more specific?

    If you only want to list content that relates to the current context/page, that’s what I meant.

    @sc0ttkclark

    example of “content”?

    Thread Starter johnywhy

    (@johnywhy)

    Thanks, @sc0ttkclark . What do you mean by “relationships”? Do you mean, between post-types?

    • This reply was modified 1 year, 1 month ago by johnywhy.
    Thread Starter johnywhy

    (@johnywhy)

    “Repeater Field” seems to be the common name for this.

    Pods Repeater plugin might work.

    Thread Starter johnywhy

    (@johnywhy)

    Perhaps someone out there knows ??

    Thread Starter johnywhy

    (@johnywhy)

    Thx, @sterndata. You’re encouraging me to search plugins. That’s cool!

    Altho’, your suggested search-terms (“team” and “products”) aren’t related to my question at all.

    More relevant terms are “repeating block patterns”. With that, i found

    https://www.ads-software.com/plugins/superb-blocks/

    It’s not apparent that would support my request.

    Now i’m searching “data blocks”.

    Does WP’s native block system natively support data-driven, repeating elements/blocks? I looked at the Table block, but i didn’t see any way to connect it to a data-source. Generally, i always prefer using native features, before installing a plugin.

    It would be great if there was a way to use backend data to feed any parameter of any kind of block.

    Thx!

    • This reply was modified 1 year, 1 month ago by johnywhy.
    • This reply was modified 1 year, 1 month ago by johnywhy.
    • This reply was modified 1 year, 1 month ago by johnywhy.
    • This reply was modified 1 year, 1 month ago by johnywhy.
    Thread Starter johnywhy

    (@johnywhy)

    With your experience you should know all about escaping user input, and when it is required.

    –my experience is desktop, not web, but that’s besides the point. As a database developer, I well understand the importance of protecting the database from potential sql injection attacks.

    But we’re talking here specifically about the WordPress function get_var, not web programming in general. According to what i’ve read, get_var does the escaping for you automatically, in all cases. I’m trying to get a straight “yes” or “no” answer on that. You have failed to answer the OP.

    Yes, and no. The reason for doing this is to get everyone used to using the $wpdb->preapre() function, which will give you more chance of using it when it’s really needed.

    That’s NOT factual information. It’s crusading.

    Thread Starter johnywhy

    (@johnywhy)

    Yes, I understand what you’re doing. There’s no need to repeat yourself.

    And that may be very helpful to inexperienced programmers.

    Those who, like myself, have decades of professional programming experience, will be looking for factual answers.

    So, while you have good intentions for beginners, you are at the same time insulting, misleading, and wasting the time of people who are looking for correct information.

    Thread Starter johnywhy

    (@johnywhy)

    So, you’re definitely saying that SmashingMagazine article is incorrect.

    Or, are you?

    It’s difficult to tell from your answers which are the facts, and which is your recommendation. You mix your recommendation together with the facts, so i’m not sure which is which.

    Therefor, i still don’t feel this question has been answered unambiguously.

    Anyone else out there able to offer a straight answer, without blurring the facts with your opinions?

    thx

    Thread Starter johnywhy

    (@johnywhy)

    In some (not many at all) cases it may be acceptable, but for the sake of a few extra CPU cycles to guarantee that your query is safe, there’s no reason not to.

    ok, i get that you’re campaigning for alway using prepare, even in cases where it’s not needed. For the sake of straight information, let’s just keep the facts separate from your recommendation. Let’s be clear that prepare is only needed where there is user-entered data in a variable. .

    Many thanks for providing the safe version of my query!

    thx

    Thread Starter johnywhy

    (@johnywhy)

    The only time that you don’t use prepare is when you have something where there is no variables

    Even if the variables are not user-entered?

    I’d also recommend that you use $wpdb->prefix as well instead of hard-coding the prefix in there. Might not make a difference, there’s always a chance.

    Yes, it’ my intention to do use the table-prefix function. But, a “chance” of what?

    Thread Starter johnywhy

    (@johnywhy)

    very awesome answer.

    i’m still not understanding your note about “every other value”.

    i’ve seen some examples which wrap prepare around individual terms within the sql query, instead of the whole query as you’ve done. Your way is certainly easier to write and read. Is there a difference?

    The reason for doing this is to get everyone used to using the $wpdb->preapre() function, which will give you more chance of using it when it’s really needed

    well ok, i’d rather just understand and use it where it needs to be used.

    thx

    Thread Starter johnywhy

    (@johnywhy)

    ok, thx for the clarification. Some follow-up:

    if the WHERE parameter i’m passing into my function is a dropdown selector control on the webpage, then that is user-entered data. But, it’s restricted to the values in the dropdown picker. i’m wondering if a savvy user could bypass the picker, and submit the form with values that are not in the picker (eg DROP users). Is that a valid concern with a selector control? i posted the wrong code. THIS is my function. Is it safe with a selector control?

    function bp_Get_FieldgroupID($FieldgroupName){
         global $wpdb;
         $query = "SELECT ID FROM wp_t9s5y8_bp_xprofile_groups WHERE name = '$FieldgroupName'";
         return $wpdb->get_var($query);
    }

    ====
    is your escaped code an example of escaping “every other value”, as you recommended above?

    $query = $wpdb->prepare ("SELECT ID FROM ".$wpdb->posts." WHERE post_title = %s", $_POST ['user_var']);

    ====

    you should use $wpdb->prepare() for creating almost all SQL queries that you need.

    Would it be more correct to say, “you should use $wpdb->prepare() for creating all SQL queries that include user-entered data.”

    thx!

Viewing 15 replies - 1 through 15 (of 92 total)