Custom page titles esc_url_raw($_SERVER['REQUEST_URI'])

  • Hey,
    I’m using this hack for custom page titles:

    https://digwp.com/2010/04/custom-page-titles/

    // Custom Page Titles
add_action('admin_menu', 'custom_title');
add_action('save_post', 'save_custom_title');
add_action('wp_head','insert_custom_title');
function custom_title() {
	add_meta_box('custom_title', 'Change page title', 'custom_title_input_function', 'post', 'normal', 'high');
	add_meta_box('custom_title', 'Change page title', 'custom_title_input_function', 'page', 'normal', 'high');
}
function custom_title_input_function() {
	global $post;
	echo '<input type="hidden" name="custom_title_input_hidden" id="custom_title_input_hidden" value="'.wp_create_nonce('custom-title-nonce').'" />';
	echo '<input type="text" name="custom_title_input" id="custom_title_input" style="width:100%;" value="'.get_post_meta($post->ID,'_custom_title',true).'" />';
}
function save_custom_title($post_id) {
	if (!wp_verify_nonce($_POST['custom_title_input_hidden'], 'custom-title-nonce')) return $post_id;
	if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) return $post_id;
	$customTitle = $_POST['custom_title_input'];
	update_post_meta($post_id, '_custom_title', $customTitle);
}
function insert_custom_title() {
	if (have_posts()) : the_post();
	  $customTitle = get_post_meta(get_the_ID(), '_custom_title', true);
	  if ($customTitle) {
		echo "<title>$customTitle</title>";
      } else {
    	echo "<title>";
	      if (is_tag()) {
	         single_tag_title("Tag Archive for ""); echo '" - '; }
	      elseif (is_archive()) {
	         wp_title(''); echo ' Archive - '; }
	      elseif ((is_single()) || (is_page()) && (!(is_front_page())) ) {
	         wp_title(''); echo ' - '; }
	      if (is_home()) {
	         bloginfo('name'); echo ' - '; bloginfo('description'); }
	      else {
	          bloginfo('name'); }
	      if ($paged>1) {
	         echo ' - page '. $paged; }
        echo "</title>";
    }
    else :
      echo "<title>Page Not Found | Envision</title>";
	endif;
	rewind_posts();
}

    I have a custom mysql table with movie id and title and a “view-movie” page and I want to display the movie-title inside the <title>.
    The esc_url_raw($_SERVER[‘REQUEST_URI’]) will return like: /view-movie/?id=70
    I modified the code like this:

    echo "<title>";
        $v_m_a = explode('/', esc_url_raw($_SERVER['REQUEST_URI']));
         if (in_array("view-movie", $v_m_a)) {
            $id = $_GET["id"];
            global $wpdb;
            $results = $wpdb->get_results("SELECT * FROM wp_mycustomtable WHERE id = $id");
            foreach($results as $r) { echo $r->Titel; echo ' - '; }
          } elseif (is_tag()) {
             single_tag_title("Tag Archive for ""); echo '" - '; }
          elseif (is_archive()) {
             wp_title(''); echo ' Profil - '; }
          elseif ((is_single()) || (is_page()) && (!(is_front_page())) ) {
             wp_title(''); echo ' - '; }
          if (is_home()) {
             bloginfo('name'); echo ' - '; bloginfo('description'); }
          else {
              bloginfo('name'); }
          if ($paged>1) {
             echo ' - page '. $paged; }
        echo "</title>";

    It is working fine. But is it save to use esc_url_raw($_SERVER[‘REQUEST_URI’]) or is there maybe a better way?

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    I don’t consider myself a security expert, and the following is my own opinion and is not any sort of authoritative statement on the subject.

    If the code you posted is the entire context of the use of $_SERVER['REQUEST_URI'], you don’t need to do anything because the value is not saved, used in SQL, or output in any form. It is merely used to determine if the exploded result has ‘view-movie’ in it or not. Any possibly bad stuff in the URL can never be used for anything in this context.

    It doesn’t hurt to escape it anyway if you’re skeptical. Escaping is principally used to sanitize output. When dealing with input that is used in SQL, we should use $wpdb->prepare() on the SQL string which escapes any problem characters that occur in the SQL query. High level WP functions will use $wpdb->prepare() internally prior to making a query. We do not need to escape such data. It’s when we make our own queries that we need to explicitly use $wpdb->prepare().

    The ‘best’ way to sanitize data depends entirely on the context.

Viewing 1 replies (of 1 total)
  • The topic ‘Custom page titles esc_url_raw($_SERVER['REQUEST_URI'])’ is closed to new replies.