Phpscaffold og wpdb klassen

<? 
global $wpdb; // henter klassen

if (isset($_POST['submitted'])) { 
foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } 
$sql = "INSERT INTO `KbnLog` ( `Id` ,  `Date` ,  `KbnProjects_Id` ,  `KbnNotes_Id` ,  `KbnStates_Id`  ) VALUES(  '{$_POST['Id']}' ,  '{$_POST['Date']}' ,  '{$_POST['KbnProjects_Id']}' ,  '{$_POST['KbnNotes_Id']}' ,  '{$_POST['KbnStates_Id']}'  ); "; 

// mysql_query($sql) or die(mysql_error()); 
$wpdb->query($wpdb->prepare($sql)); // Query

echo "Added row.<br />"; 
} 
?>

<form action='' method='POST'> 
<p><b>Id:</b><br /><input type='text' name='Id'/> 
<p><b>Date:</b><br /><input type='text' name='Date'/> 
<p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> 
<p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> 
<p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> 
<p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> 
</form>

Phpscaffold genererer en kode, der næsten kan anvendes; men et par linjer skal rettes. For det føste skal wpdb gøres global. For det andet anvendes wpdb-klassen til at udføre en SQL query:

<? global $wpdb; // henter klassen // include('config.php'); - denne linje slettes er ikke noedvendig if (isset($_POST['submitted'])) { foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } $sql = "INSERT INTO `KbnLog` ( `Id` , `Date` , `KbnProjects_Id` , `KbnNotes_Id` , `KbnStates_Id` ) VALUES( '{$_POST['Id']}' , '{$_POST['Date']}' , '{$_POST['KbnProjects_Id']}' , '{$_POST['KbnNotes_Id']}' , '{$_POST['KbnStates_Id']}' ); "; // linjen herunder skal aendres til en wpdb klasse // se denne vejledning http://codex.wordpress.org/Class_Reference/wpdb // mysql_query($sql) or die(mysql_error()); // sikkerhed: brug wp prepare // echo $sql; // rens evt. m. prepare $wpdb->query($sql); // query //echo "Added row.<br />"; //echo "<a href='log-list.php'>Back To Listing</a>"; } ?> <form action='' method='POST'> <p><b>Id:</b><br /><input type='text' name='Id'/> <p><b>Date:</b><br /><input type='text' name='Date'/> <p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> <p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> <p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> <p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> </form>

Phpscaffolds kildekode burde relativt enkelt kunne redigeres til at “kompilere” en WordPress egnet kode; men det et andet projekt.

Ovenstående kode beskytter ikke mod forsøg på SQL-indsprøjtninger. Ved hjælp af prepare opnås en bedre beskyttelse. Wpdblinjen skal se sådan ud:

$wpdb->query($wpdb->prepare($sql));

Den rensede kode ser herefter sådan ud:

<? 
global $wpdb; // henter klassen

if (isset($_POST['submitted'])) { 
foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } 
$sql = "INSERT INTO `KbnLog` ( `Id` ,  `Date` ,  `KbnProjects_Id` ,  `KbnNotes_Id` ,  `KbnStates_Id`  ) VALUES(  '{$_POST['Id']}' ,  '{$_POST['Date']}' ,  '{$_POST['KbnProjects_Id']}' ,  '{$_POST['KbnNotes_Id']}' ,  '{$_POST['KbnStates_Id']}'  ); "; 

$wpdb->query($wpdb->prepare($sql)); // Query

echo "Added row.<br />"; 
} 
?>

<form action='' method='POST'> 
<p><b>Id:</b><br /><input type='text' name='Id'/> 
<p><b>Date:</b><br /><input type='text' name='Date'/> 
<p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> 
<p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> 
<p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> 
<p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> 
</form>

I stedet for at rette global-linjen i alle filerne kan man bevare include(‘config.php’); – og lave en phpfil med dette indhold:

<?php global $wpdb; ?>

Published by

Per Thykjaer Jensen

I am a Senior Lecturer in front- and backend web programming at the Multimedia Design and Communication Programme at Business Academy Aaarhus.

I speak several languages: PHP, Python, MySQL, JavaScript, Nodejs, HTML, CSS, and … Danish.

Background: MA it, interaction and multimedia – MA Literature history – BA Art History.