WordPress.org
Get WordPress

Plugin Directory

Changeset 1315212


Ignore:
Timestamp:
12/23/2015 05:53:54 PM (10 years ago)
Author:
froman118
Message:

Added nonce for CSRF protection and compliance

File:
1 edited

Legend:

Unmodified
Added
Removed

  • my-page-order/trunk/mypageorder.php

    r1215412 r1315212  
    44Plugin URI: http://www.geekyweekly.com/mypageorder
    55Description: My Page Order allows you to set the order of pages through a drag and drop interface. The default method of setting the order page by page is extremely clumsy, especially with a large number of pages.
    6 Version: 4.3
     6Version: 4.3.2
    77Author: Andrew Charlton
    88Author URI: http://www.geekyweekly.com
     
    4444global $wpdb;
    4545$parentID = 0;
    46 
    47 if (isset($_POST['btnSubPages'])) {
     46$success = "";
     47
     48if (isset($_POST)) {
     49    if ( ! isset( $_POST['_nonce_my_page_order'] ) || ! wp_verify_nonce( $_POST['_nonce_my_page_order'], 'update' )  ) {
     50     // exit;
     51    }
     52   
     53    if (isset($_POST['btnSubPages'])) {
    4854    $parentID = $_POST['pages'];
    49 }
    50 elseif (isset($_POST['hdnParentID'])) {
    51     $parentID = $_POST['hdnParentID'];
    52 }
    53 
    54 if (isset($_POST['btnReturnParent'])) {
    55     $parentsParent = $wpdb->get_row( $wpdb->prepare("SELECT post_parent FROM $wpdb->posts WHERE ID = %d ", $_POST['hdnParentID'] ), ARRAY_N);
    56     $parentID = $parentsParent[0];
    57 }
    58 
    59 $success = "";
    60 if (isset($_POST['btnOrderPages'])) {
    61     $success = mypageorder_updateOrder();
     55    }
     56    elseif (isset($_POST['hdnParentID'])) {
     57        $parentID = $_POST['hdnParentID'];
     58    }
     59
     60    if (isset($_POST['btnReturnParent'])) {
     61        $parentsParent = $wpdb->get_row( $wpdb->prepare("SELECT post_parent FROM $wpdb->posts WHERE ID = %d ", $_POST['hdnParentID'] ), ARRAY_N);
     62        $parentID = $parentsParent[0];
     63    }
     64
     65    if (isset($_POST['btnOrderPages'])) {
     66        $success = mypageorder_updateOrder();
     67    }
    6268}
    6369
     
    104110    <input type="hidden" id="hdnMyPageOrder" name="hdnMyPageOrder" />
    105111    <input type="hidden" id="hdnParentID" name="hdnParentID" value="<?php echo $parentID; ?>" />
     112    <?php wp_nonce_field('update', '_nonce_my_page_order' ); ?>
    106113</form>
    107114</div>
     
    444451            <small><?php _e( 'Number of pages to skip.', 'mypageorder' ); ?></small>
    445452        </p>
    446        
    447453<?php
    448454    }
    449 
    450455}
    451456
Note: See TracChangeset for help on using the changeset viewer.