WordPress.org
Get WordPress

Plugin Directory

Changeset 2781900


Ignore:
Timestamp:
09/08/2022 11:21:27 AM (4 years ago)
Author:
brainvireinfo
Message:

Apply nonce in all actions

Location:
wp-users-disable/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • wp-users-disable/trunk/admin-option.php

    r2775544 r2781900  
    4747
    4848        $nonce = wp_create_nonce( 'disable_user_nonce' );
    49         echo '<a class=" button-primary" data-nonce="'.$nonce.'"  id="' . esc_attr( $value['id'] ) . '"  style="float: left; margin: 75px 0px 0px;" />Disableuser</a><br/>';
     49        echo wp_kses_post( '<a class=" button-primary" data-nonce="' . $nonce . '"  id="' . esc_attr( $value['id'] ) . '"  style="float: left; margin: 75px 0px 0px;" />Disableuser</a><br/>' );
    5050
    5151    }
     
    152152        if ( count( $getresult ) > 0 ) {
    153153            foreach ( $getresult as $result ) {
    154 
    155                              $output .= "<tr id='userid" . $result->id . "'>";
    156 
    157                                       $output .= '<td>' . $result->id . '</td>';
    158                                       $output .= '<td>' . $result->useremail . '</td>';
    159                                       $output .= "<td><a href='javascript:void(0)' id=" . $result->id . '>Enable User</a></td>';
     154                            $nonce = wp_create_nonce( 'enable_user_nonce' );
     155                            $output .= "<tr id='userid" . $result->id . "'>";
     156                            $output .= '<td>' . $result->id . '</td>';
     157                            $output .= '<td>' . $result->useremail . '</td>';
     158                            $output .= "<td><a href='javascript:void(0)' data-enb-nonce=" . $nonce . ' id=' . $result->id . '>Enable User</a></td>';
    160159
    161160                            $output .= '</tr>';

  • wp-users-disable/trunk/ajax.js

    r2775544 r2781900  
    9595                        data: {
    9696                            action: 'dwul_enable_user_email',
     97                            nonce_data: jQuery(this).data('enb-nonce'),
    9798                            activateuserid: acivateid
    9899                        },

  • wp-users-disable/trunk/custom-ajax.php

    r2775544 r2781900  
    3232        global $wpdb;
    3333        global $disableemail;
    34         if ( !wp_verify_nonce($_REQUEST['nonce_data'], 'disable_user_nonce') ){
    35             $successresponse = '90';
    36             echo esc_html( $successresponse );
     34        $disable_nonce = isset( $_REQUEST['nonce_data'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce_data'] ) ) : '';
     35        if ( ! wp_verify_nonce( $disable_nonce, 'disable_user_nonce' ) ) {
     36            $successresponse = '90';
     37            echo esc_html( $successresponse );
    3738            die();
    38         }
     39        }
    3940        $exitingarray = array();
    4041        $disableemail = isset( $_REQUEST['useremail'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['useremail'] ) ) : '';
    41         $table_name = $wpdb->prefix . dwul_disable_user_email;
    42         $exitingusertbl = $wpdb->prefix . users;
     42        $table_name = $wpdb->prefix . "dwul_disable_user_email";
     43        $exitingusertbl = $wpdb->prefix . "users";
    4344        $exitinguserquery = "SELECT user_email FROM $exitingusertbl";
    4445        $getexiting = $wpdb->get_col( $exitinguserquery );
     
    8788        global $wpdb;
    8889        $array = array();
    89         $usertable = $wpdb->prefix . dwul_disable_user_email;
     90        $usertable = $wpdb->prefix . "dwul_disable_user_email";
    9091
    9192        if ( ! $user ) {
     
    134135
    135136        global $wpdb;
    136         $tblname = $wpdb->prefix . dwul_disable_user_email;
     137        $enable_nonce = isset( $_REQUEST['nonce_data'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['nonce_data'] ) ) : '';
     138        if ( ! wp_verify_nonce( $enable_nonce, 'enable_user_nonce' ) ) {
     139            $successresponse = '90';
     140            echo esc_html( $successresponse );
     141            die();
     142        }
     143        $tblname = $wpdb->prefix . "dwul_disable_user_email";
    137144        $activateuserid = isset( $_REQUEST['activateuserid'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['activateuserid'] ) ) : '';
    138145        $delquery = $wpdb->query( $wpdb->prepare( "DELETE FROM $tblname WHERE id = %d", $activateuserid ) );
Note: See TracChangeset for help on using the changeset viewer.