0

What's the correct way to do this? Right now I have these two functions in different php files, but I want everything in the main Wordpress plugin file.

<form action="plugin-path/plugin.php->writepost()" method="get"> or <form action="plugin-path/plugin.php->scandir() method="get">

The bad part about having these functions in different php files is that when somebody finds out the URL of the php with the writing function, with the right HTTP GET variables he can write posts on my site without authenticating at all!

user3266328
  • 3
  • 2

2 Answers2

0

Creating a function:

function functionName() {
    //Stuff that this function should do
}

Calling a function:

functionName();

You can place parameters into the parentheses, but from what I understand, your usage does not require it.

Also a note on the 'get' method. Only use this for things that don't pose a security risk. Use 'post' as the method instead, so that the data is not visible on the URL. I suggest you read up on the difference between get and post, and adjust accordingly to keep your pages secure.

Hiigaran
  • 829
  • 10
  • 28
  • I meant I don't know how to call that function from a html form. As far as I know you can only run a whole php script from a html form through action="phpfilehere" – user3266328 Feb 18 '14 at 23:08
  • Hmm. Just woke up, so off the top of my head, if you use the post method, you can use something like $_GET["inputName"]; and that would get the value submitted in your form by the input with the name attribute of inputName. From there, you can do an if/then check for expected values. So if $_GET["inputName"]; has a value of 1, then call functionName(), else die('Error'). Or something like that. Hopefully you get the idea. – Hiigaran Feb 19 '14 at 07:09
  • Yup, that's what I ended up doing in the end! – user3266328 Feb 24 '14 at 14:35
0

Try this in your different php files to prevent direct access. Then just include the files in your main.php file.

Community
  • 1
  • 1
Marcel
  • 375
  • 1
  • 8