<? global $wpdb; // henter klassen if (isset($_POST['submitted'])) { foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } $sql = "INSERT INTO `KbnLog` ( `Id` , `Date` , `KbnProjects_Id` , `KbnNotes_Id` , `KbnStates_Id` ) VALUES( '{$_POST['Id']}' , '{$_POST['Date']}' , '{$_POST['KbnProjects_Id']}' , '{$_POST['KbnNotes_Id']}' , '{$_POST['KbnStates_Id']}' ); "; // mysql_query($sql) or die(mysql_error()); $wpdb->query($wpdb->prepare($sql)); // Query echo "Added row.<br />"; } ?> <form action='' method='POST'> <p><b>Id:</b><br /><input type='text' name='Id'/> <p><b>Date:</b><br /><input type='text' name='Date'/> <p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> <p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> <p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> <p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> </form>
Phpscaffold genererer en kode, der næsten kan anvendes; men et par linjer skal rettes. For det føste skal wpdb gøres global. For det andet anvendes wpdb-klassen til at udføre en SQL query:
<? global $wpdb; // henter klassen // include('config.php'); - denne linje slettes er ikke noedvendig if (isset($_POST['submitted'])) { foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } $sql = "INSERT INTO `KbnLog` ( `Id` , `Date` , `KbnProjects_Id` , `KbnNotes_Id` , `KbnStates_Id` ) VALUES( '{$_POST['Id']}' , '{$_POST['Date']}' , '{$_POST['KbnProjects_Id']}' , '{$_POST['KbnNotes_Id']}' , '{$_POST['KbnStates_Id']}' ); "; // linjen herunder skal aendres til en wpdb klasse // se denne vejledning http://codex.wordpress.org/Class_Reference/wpdb // mysql_query($sql) or die(mysql_error()); // sikkerhed: brug wp prepare // echo $sql; // rens evt. m. prepare $wpdb->query($sql); // query //echo "Added row.<br />"; //echo "<a href='log-list.php'>Back To Listing</a>"; } ?> <form action='' method='POST'> <p><b>Id:</b><br /><input type='text' name='Id'/> <p><b>Date:</b><br /><input type='text' name='Date'/> <p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> <p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> <p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> <p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> </form>
Phpscaffolds kildekode burde relativt enkelt kunne redigeres til at “kompilere” en WordPress egnet kode; men det et andet projekt.
Ovenstående kode beskytter ikke mod forsøg på SQL-indsprøjtninger. Ved hjælp af prepare opnås en bedre beskyttelse. Wpdblinjen skal se sådan ud:
$wpdb->query($wpdb->prepare($sql));
Den rensede kode ser herefter sådan ud:
<? global $wpdb; // henter klassen if (isset($_POST['submitted'])) { foreach($_POST AS $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } $sql = "INSERT INTO `KbnLog` ( `Id` , `Date` , `KbnProjects_Id` , `KbnNotes_Id` , `KbnStates_Id` ) VALUES( '{$_POST['Id']}' , '{$_POST['Date']}' , '{$_POST['KbnProjects_Id']}' , '{$_POST['KbnNotes_Id']}' , '{$_POST['KbnStates_Id']}' ); "; $wpdb->query($wpdb->prepare($sql)); // Query echo "Added row.<br />"; } ?> <form action='' method='POST'> <p><b>Id:</b><br /><input type='text' name='Id'/> <p><b>Date:</b><br /><input type='text' name='Date'/> <p><b>KbnProjects Id:</b><br /><input type='text' name='KbnProjects_Id'/> <p><b>KbnNotes Id:</b><br /><input type='text' name='KbnNotes_Id'/> <p><b>KbnStates Id:</b><br /><input type='text' name='KbnStates_Id'/> <p><input type='submit' value='Add Row' /><input type='hidden' value='1' name='submitted' /> </form>
I stedet for at rette global-linjen i alle filerne kan man bevare include(‘config.php’); – og lave en phpfil med dette indhold:
<?php global $wpdb; ?>