Entwicklung eines sicheren Frontend-Buchungsformulars

Ich möchte eine Frontend-functionalität auf einer meiner WordPress-Seiten hinzufügen. Für mehr Kontrolle und mehr Verständnis dafür, wie das funktioniert (ich bin kein professioneller Programmierer), entschied ich mich, als Grundlage für zukünftige Entwicklungen eine Lösung von der wpkb.com- Seite zu verwenden (siehe den folgenden Code). Diese Lösung funktioniert, aber die Frage ist, wie sie gegen Sicherheitsprobleme / böswillige Angriffe geschützt ist ?

Zweitens, wenn ein neuer Beitrag eingereicht wird, wird er gespeichert, erzeugt aber auch einen Hinweis und ich verstehe nicht warum:

Hinweis: Undefinierte Variable: hasError in … / submit-from-front.php in Zeile 106

Dies ist die Linie 106:

//Check if any error was detected in validation. if($hasError == true) { 

Der vollständige Code:

 class WPSubmitFromFront { protected $pluginPath; protected $pluginUrl; public function __construct() { // Set Plugin Path $this->pluginPath = dirname(__FILE__); // Set Plugin URL $this->pluginUrl = WP_PLUGIN_URL . '/submitfromfront'; //Add CSS for the form. add_action('wp_enqueue_scripts', array($this, 'addStyles')); //Add the short code add_shortcode('post_from_front', array($this, 'handleFrontEndForm')); } function handleFrontEndForm() { //Check if the user has permission to publish the post. if ( !current_user_can('publish_posts') ) { echo "

Please Login to post links.

"; return; } if($this->isFormSubmitted() && $this->isNonceSet()) { if($this->isFormValid()) { $this->createPost(); } else { $this->displayForm(); } } else { $this->displayForm(); } } //This function displays the HTML form. public function displayForm() { ?>
ID; //Get the details from the form which was posted $postTitle = $_POST['postTitle']; $contentOfPost = $_POST['postContent'] ; $postSatus = 'publish'; // 'pending' - in case you want to manually aprove all posts; //Create the post in WordPress $post_id = wp_insert_post( array( 'post_title' => $postTitle, 'post_content' => $contentOfPost, 'post_status' => $postSatus , 'post_author' => $currentuserid )); } } $wpSubmitFromFEObj = new WPSubmitFromFront();

Solutions Collecting From Web of "Entwicklung eines sicheren Frontend-Buchungsformulars"

Hoffentlich wird der Code ausreichen, um die wichtigsten Punkte zu beschreiben, aber bitte kommentieren Sie, wenn Sie weitere Fragen haben:

 < ?php class WPSE_Submit_From_Front { const NONCE_VALUE = 'front_end_new_post'; const NONCE_FIELD = 'fenp_nonce'; protected $pluginPath; protected $pluginUrl; protected $errors = array(); protected $data = array(); function __construct() { $this->pluginPath = plugin_dir_path( __file__ ); $this->pluginUrl = plugins_url( '', __file__ ); add_action( 'wp_enqueue_scripts', array( $this, 'addStyles' ) ); add_shortcode( 'post_from_front', array( $this, 'shortcode' ) ); // Listen for the form submit & process before headers output add_action( 'template_redirect', array( $this, 'handleForm' ) ); } function addStyles() { wp_enqueue_style( 'submitform-style', "$this->pluginUrl/submitfromfront.css" ); } /** * Shortcodes should return data, NOT echo it. * * @return string */ function shortcode() { if ( ! current_user_can( 'publish_posts' ) ) return sprintf( '

Please login to post links.

', esc_url( wp_login_url( get_permalink() ) ) ); elseif ( $this->isFormSuccess() ) return '

Nice one, post created.

'; else return $this->getForm(); } /** * Process the form and redirect if sucessful. */ function handleForm() { if ( ! $this->isFormSubmitted() ) return false; // http://php.net/manual/en/function.filter-input-array.php $data = filter_input_array( INPUT_POST, array( 'postTitle' => FILTER_DEFAULT, 'location2' => FILTER_DEFAULT, 'postContent' => FILTER_DEFAULT, )); $data = wp_unslash( $data ); $data = array_map( 'trim', $data ); // You might also want to more aggressively sanitize these fields // By default WordPress will handle it pretty well, based on the current user's "unfiltered_html" capability $data['postTitle'] = sanitize_text_field( $data['postTitle'] ); $data['location2'] = sanitize_text_field( $data['location2'] ); $data['postContent'] = wp_check_invalid_utf8( $data['postContent'] ); $this->data = $data; if ( ! $this->isNonceValid() ) $this->errors[] = 'Security check failed, please try again.'; if ( ! $data['postTitle'] ) $this->errors[] = 'Please enter a title.'; if ( ! $data['postContent'] ) $this->errors[] = 'Please enter the content.'; if ( ! $this->errors ) { $post_id = wp_insert_post( array( 'post_title' => $data['postTitle'], 'post_content' => $data['postContent'], 'post_status' => 'publish', )); if ( $post_id ) { add_post_meta( $post_id, 'location2', $data['location2'] ); // Redirect to avoid duplicate form submissions wp_redirect( add_query_arg( 'success', 'true' ) ); exit; } else { $this->errors[] = 'Whoops, please try again.'; } } } /** * Use output buffering to *return* the form HTML, not echo it. * * @return string */ function getForm() { ob_start(); ?>
< ?php foreach ( $this->errors as $error ) : ?>

< ?php echo $error ?>

< ?php endforeach ?>
data['postTitle'] ) ) echo esc_attr( $this->data['postTitle'] ); ?>" />
< ?php wp_nonce_field( self::NONCE_VALUE , self::NONCE_FIELD ) ?>
< ?php return ob_get_clean(); } /** * Has the form been submitted? * * @return bool */ function isFormSubmitted() { return isset( $_POST['submitForm'] ); } /** * Has the form been successfully processed? * * @return bool */ function isFormSuccess() { return filter_input( INPUT_GET, 'success' ) === 'true'; } /** * Is the nonce field valid? * * @return bool */ function isNonceValid() { return isset( $_POST[ self::NONCE_FIELD ] ) && wp_verify_nonce( $_POST[ self::NONCE_FIELD ], self::NONCE_VALUE ); } } new WPSE_Submit_From_Front;