Front End Administrative menu

koolvin,

Given the nature of WordPress usage, I purposely opted not to create a front-end administrative menu for the calendar. If you decide to pursue coding one on your own, be sure to include sufficient ajax security (nonces, etc…) to the event database actions so your site doesn’t get easily hijacked by hackers.

Eran

I’ve reused your functions, so assuming that you protected it at all, it’s protected. Otherwise, I’ve made sure to sanitize everything entering the database.

koolvin,

My plugin utilizes the security built into the administration section of WordPress, front-end interactions enjoy no such luxury and require additional measures mentioned above – hence the caveat.

Eran

Alright, so far all that I’ve done is mysql_real_escape_string the input, what else do you suggest?

The concern is not over sql injection – the plugin already employs prepare statements for all database actions. As indicated above, the concern is about “ajax security” – to learn more search for “WordPress and ajax and nonces”.

Eran

I can’t get nonce to work, I’ve got it sending in admin-event.php

$nonce= wp_create_nonce("nonce$timeg");
?>
...
    <input type="hidden" name="_wpnonce" id="_wpnonce" value="<?php echo $nonce; ?>" />
    <input type="hidden" name='noncet' value='<? echo $timeg; ?>'>

and checking in ajax-event-calendar.php -> process_event():
if (! wp_verify_nonce($_POST['_wpnonce'], "nonce".$_POST[noncet]) ){ die(); }

Any idea what I’m doing wrong?

I’m sorry, but I don’t have the time to help with your questions. It’s difficult enough finding the time to keep the momentum going on my plugin’s core features, let alone another implementation.

I wish you success in your endeavors.
Eran

I figured it out anyway, thanks for all your help.