don’t really NEED the entire $_POST stack?

  • First sorry for the length.

    So I am working on my first plugin and trying to submit it to be published. So in a nutshell, the plugin utilizes the Entity Attribute Value data model, and allows the user to create tables and fields and to store data. Because of the dynamic nature the forms used to enter data is created dynamically. So when the use pushes the submit button, the code at runtime doesn’t know the fields being submitted. So I have code like this:

    	if (isset($_POST['submit']) ){
		$keyarray = array_keys($_POST);
		$valarray = array_values($_POST);
		$insert_tbl = sanitize_text_field($_POST['tablename']);

    The issue/problem that I am having is that in submitting the plugin, the response is that I “don’t really NEED the entire $_POST stack. You don’t. You should be using a proper key for your code (like $_POST[‘YOUR_PLUGIN_NAME’] and then you can process everything in that. It will prevent you from accidentally leaking data, make your plugin faster, and be over all more secure.”

    Because I don’t know the values (because everything is driven by the database) I need to look at all the values to find the field names and the value of the field. So how do I explain this?

    Below is the code where I use both $keyarry and $valarray. I use keyarray to get the fieldname (that is store in the database, and valarray for that value as shown in the code below.

                    $sz =  sizeof($_POST);
// find new row number
		$maxid = "select max(entity_id) as maxid from eav_entity where entity = " . $v_entity;
		$result_tbl1 =$wpdb->get_row($maxid);
		$v_entity_id = sanitize_text_field($result_tbl1->maxid) + 1;
		for ($i=0; $i < $sz; $i++) {
			if (  ((sanitize_text_field($keyarray[$i]) == 'tablename') || (sanitize_text_field($keyarray[$i]) == 'submit')) == false) {
				$fieldid = "select entity_attrib from eav_attrib where entity_name = '" . sanitize_text_field($keyarray[$i]) . "'";
				$result_fld = $wpdb->get_row($fieldid);
				$v_entity_attrib = sanitize_text_field($result_fld->entity_attrib);
				$prep = $wpdb->prepare (
				"INSERT INTO eav_entity (entity, entity_id, entity_attrib, val_char) values (%s, %s, %s, %s)"
				, $v_entity . ''
				, $v_entity_id . ''
				, $v_entity_attrib . ''
				, sanitize_text_field($valarray[$i]) . ''
				);
				$return = $wpdb->query($prep );
				if ($return != 1) {
					echo "<P>Insert into eav_entity failed: " . ' - wpdb->last_error : ' . $wpdb->last_error;
				}
				$wpdb->flush();
			}
		}

    thanks for your help and if anyone is interested let me know I would be willing to show you more.

    thanks
    -brad

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator bcworkz

    (@bcworkz)

    I may be wrong, but I think they’re saying $_POST can contain values unrelated to your plugin. I think they’re suggesting you compile all relevant data into an array or JSON string and pass it all as a single $_POST[‘my-plugin-name’] value. Then you’re assured of only getting relevant data.

    Thread Starter Bradley Smith

    (@mobilebsmith)

    Thanks, I will investigate, but how is that safer than just using $_POST? I mean couldn’t someone also fake the objects/strings in the array or json definition? My code does do a match against the defined fields, so if there was something in there that didn’t match, my code would just skip it.

    thanks!
    -brad

    Thread Starter Bradley Smith

    (@mobilebsmith)

    Also I am curious if:

    // prevent XSS
    $_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
    $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

    this would work also?

    thanks
    -brad

    how is that safer than just using $_POST? I mean couldn’t someone also fake the objects/strings in the array or json definition? My code does do a match against the defined fields, so if there was something in there that didn’t match, my code would just skip it.

    There could be any number of other plugins with entries in $_POST. Your plugin should only handle its own data, so you need to distinguish it from all other data. Using $_POST['submit'] so generically isn’t good either. You need to be checking user capabilities, and your code should not be invoked for another plugin’s form.
    You should look at the code for phpMyAdmin which is basically what you are trying to do. There are plugins that run this (or a watered down version) within WordPress. Read the code for how to make it secure.

    Thread Starter Bradley Smith

    (@mobilebsmith)

    Thanks for the advice, I guess I have more reading to do.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘don’t really NEED the entire $_POST stack?’ is closed to new replies.