Using sprintf in shortcode

Hi Guido,

I’m not sure about using sprintf.
But I normally do it like below:

$content = ‘[my-form’;
if ( !empty( $instance[‘attributes’] ) ) {
$content = ‘ ‘.$instance[‘attributes’];
}

$content = ‘]’;
//echo $content;
echo do_shortcode( $content );

Hopefully it helps you.

Thanks, I like that, clean and simple ??

Guido

Hi again,

Justed tested it, but does not work. This part isn’t correct I think:

$content = ' '.$instance['attributes'];

So I changed it into this:

$content = '[my-form';
if ( !empty( $instance['attributes'] ) ) {
	$content = $instance['attributes'];
}
$content = ']';
echo do_shortcode( $content );

But now only ] is displayed in frontend.

Guido

Hey Guido,

You are repeatedly assigning new values to $content in your use of ‘=’ . In order to append more content to the existing value you need to use the combination concatenation/assignment operator ‘.=’ (dot equals) in all but the first use of ‘=’ .

Hi BC,

Of course, stupid me:

$content = '[my-form ';
if ( !empty( $instance['attributes'] ) ) {
	$content .= $instance['attributes'];
}
$content .= ']';
echo do_shortcode( $content );

Guess I should use this in stead of a sprintf?

Guido

I hate it when I make a silly mistake for all to see. Still, it seems I continue to do so almost every day ??

Either way will work. sprintf() doesn’t output anything despite the use of “print”. You still need to echo out what ever is returned, so it mainly comes down to personal preference.

Whichever way you go, be sure that you use $instance['attributes'] only inside the if( !empty()) logic otherwise warnings or errors will be triggered if it is not defined.

I normally use the sprintf only for text related strings, so that’s why I was wondering.

Thanks again for your detailed explanation! Btw, do you also have your own (portfolio) website? Just curious.

Guido

Shortcodes are essentially text expanders, so still text strings, and whatever works with strings is fair game!

Yeah, there’s a website, but it’s not a portfolio. It’s kind of a blog, but curiously it’s not WP based! Hand coded ?? Recently it’s been mostly articles about hacking WP, things not covered too well in the Codex. I’ve occasionally referred people there though I try to use www.remarpro.com resources when possible. The plugin developer’s handbook has a lot of good stuff, I contributed to it based on some of my website’s articles. (The AJAX and Meta box sections of the handbook FWIW)

Hi ‘bc’,

I will definitely take a look, thanks.

Guido

Unfortunately shortcode is not allowed for themes:

The theme uses the add_shortcode() function. Custom post-content shortcodes are plugin-territory functionality.

So I have to think about another solution or remove the shortcode again.

Have a nice couple of days ??

Guido

Your theme is using something like
echo do_shortcode( '[my-form]' );
So there must be something like
add_shortcode('my-form', 'my-form-handler');

Instead of all the shortcode stuff, you could just do
echo my-form-handler();

Of course passing attributes would no longer work, but you could pass parameters the normal way
my-form-handler( $instance['attributes'] )
Then in the handler function, the values in $instance['attributes'] could be extracted and used. Naturally, then the function no longer works as a shortcode handler, but it serves the ultimate purpose of outputting relevant content none the less. Thus you essentially have a template tag instead of a shortcode, which are certainly acceptable in themes.

FYI, shortcodes will work in themes just fine (as you know), but themes are supposed to style and format content, not generate content. Shortcodes generate content, that is why there’s an issue. Of course template tags could generate content, and shortcodes might only output a theme form, not user content. The division between user content and theme content (i.e. forms) is not always clearly defined, but generally speaking it’s understandable to not allow shortcodes in themes because of what they are typically used for. If you are not using shortcodes for what they are typically used for, you have other options, like template tags ??

Hi BC,

Thanks again.

I was working on a major theme update including a function to add the shortcode attributes via the Customizer but this is rejected because of the shortcode (I now understand why). So I should build a function including the attributes and echo the content. Great idea.

Another thing, are you able and willing to help me concerning this? If yes, I will contact you via your website.

Guido

Oh my! That must be a very disturbing discovery, you have my condolences. I like to think I’m pretty good at creative solutions to custom WP coding, but that is not necessarily related to identifying security holes. For that one needs to think like a hacker, but that is not how my mind works. I do not feel I’m qualified to help you in that manner.

Still, a fresh set of eyes may be better than nothing, I’d be willing to take a quick look to see if anything obvious jumps out. My review would not be any kind of indication that your code is safe, but I might notice something. I won’t have time until next week. I also cannot look through all of your code (you’ve been busy!) Is there a particular theme and/or plugin you suspect more than others? You may as well answer here. You never know, someone else may be willing to look as well. We’re all part of the same community ??

BTW, no need to feel responsible for hacks to a site with 777 permissions! I’m not that surprised someone would do that, but seriously, what are they thinking? Oh, the naiveté of some!

Hi,

Don’t want to discuss it here anyfurther because it’s off topic and I don’t want to get banned ??

The common factor of all websites is they have one of my themes and one of my plugins installed.

Another common factor is my FTP software because I made a rookie mistake to store many logins there. And using a not so poplar FTP client CoreFTP.

Guido