Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3198788

Timestamp:

11/28/2024 11:19:26 AM (16 months ago)

Author:

rachanaS

Message:

Security updates

Location:

sponsered-link/trunk

Files:

: 2 edited

readme.txt (modified) (1 diff)
sponserlink.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

sponsered-link/trunk/readme.txt

-                      r3187176
+                      r3198788
 Tags: sponser link
 Requires at least: 3.0.1
+Requires at least: 4.7
 Tested up to: 6.6.2
+Tested up to: 6.7.1
 Stable tag: 6.0

sponsered-link/trunk/sponserlink.php

-                      r3187176
+                      r3198788
 add_shortcode( 'SponseredLink', 'show_sponser_fornt' );
 /*Add custom url*/
+/* Add custom URL */
 add_action('wp_ajax_add_sponser', 'process_add_sponser');
 function process_add_sponser() {
+        if ( empty($_POST) || !wp_verify_nonce($_POST['add-sponser-url'],'add_sponser') ) {
+            echo 'You targeted the right function, but sorry, your nonce did not verify.';
+            die();
+        } else {
+                global $wpdb;
+                $table_name = $wpdb->prefix."sponser_link";
+                $title    =  sanitize_text_field($_REQUEST['title']);
+                $link     =  sanitize_text_field($_REQUEST['link']);
+                $created  =  time();
+                $publish  =  sanitize_text_field($_REQUEST['publish']);
+                $target  =  sanitize_text_field($_REQUEST['target']);
+                $upload     = wp_upload_bits($_FILES["image"]["name"], null, wp_remote_get($_FILES["image"]["tmp_name"]));
+                $wpdb->insert(
+                    $table_name,
+                    array(
+                        'title'    => $title,
+                        'link'     => $link,
+                        'created'  => $created,
+                        'publish'  => $publish,
+                        'target'  => $target,
+                        'image'      => $upload['url']
+                    ),
+                    array(
+                        '%s',
+                        '%s',
+                        '%s',
+                        '%s',
+                        '%s',
+                        '%s'
+                    )
+                );
+                $displayUrl = $_SERVER['HTTP_REFERER'].'&addmsg=Added Successfully';
+                echo "<script type='text/javascript'>location.href = '" . esc_url($displayUrl). "';</script>";
+                die(0);
+    }
+}
+/*Edit custom url*/
+    // Verify nonce for security
+    if ( empty($_POST) || !wp_verify_nonce($_POST['add-sponser-url'],'add_sponser') ) {
+        echo 'You targeted the right function, but sorry, your nonce did not verify.';
+        die();
+    } else {
+        global $wpdb;
+        $table_name = $wpdb->prefix . "sponser_link";
+        // Validation: Ensure title and link are non-empty and correct format
+        $title = isset($_REQUEST['title']) ? sanitize_text_field($_REQUEST['title']) : ''; // sanitize text field for title
+        $link = isset($_REQUEST['link']) ? esc_url_raw($_REQUEST['link']) : '';
+        $publish = isset($_REQUEST['publish']) ? sanitize_text_field($_REQUEST['publish']) : '';
+        $target = isset($_REQUEST['target']) ? sanitize_text_field($_REQUEST['target']) : '';
+        // Basic validation: Check if the title is too short or contains non-text characters
+        if (strlen($title) < 5) {
+            echo 'Title is too short, must be at least 5 characters.';
+            die();
+        }
+        // Regex to allow only letters and spaces (no numbers, no special characters)
+        if (!preg_match('/^[a-zA-Z0-9\s]+$/', $title)) {
+            echo 'Title contains invalid characters. Only letters and spaces are allowed.';
+            die();
+        }
+        // Handle file upload and validate the image file
+        if ($_FILES["image"]["name"] != '') {
+            // Validate image type (e.g., JPG, PNG, GIF)
+            $allowed_types = array('image/jpeg', 'image/png', 'image/gif');
+            $file_type = mime_content_type($_FILES["image"]["tmp_name"]);
+            if (!in_array($file_type, $allowed_types)) {
+                echo 'Invalid image type. Only JPG, PNG, or GIF allowed.';
+                die();
+            }
+            // Sanitize the file name to prevent issues
+            $filename = sanitize_file_name($_FILES["image"]["name"]);
+            // Get the temporary file path
+            $tmp_name = $_FILES["image"]["tmp_name"];
+            $upload_overrides = array( 'test_form' => false );
+            // Handle the upload
+            if ($_FILES["image"]["error"] === UPLOAD_ERR_OK) {
+                // Create the uploaded file array
+                $uploadedfile = array(
+                    'name'     => $filename,
+                    'type'     => $_FILES["image"]["type"],
+                    'tmp_name' => $tmp_name,
+                    'error'    => $_FILES["image"]["error"],
+                    'size'     => $_FILES["image"]["size"]
+                );
+                // Upload the file
+                $upload = wp_handle_upload($uploadedfile, $upload_overrides);
+                // Check if the upload was successful
+                if ($upload && !isset($upload['error'])) {
+                    //echo esc_html("File uploaded successfully!");
+                    //print_r($upload); // This will show the file path, URL, and other details
+                    //echo esc_url($upload['url']);
+                } else {
+                    echo esc_html("Upload failed.");
+                    // Display specific upload error, safely escaped
+                    echo esc_html("Error: " . $upload['error']);
+                }
+            } else {
+                echo esc_html("Error uploading file: " . $_FILES["image"]["error"]);
+            }
+            // Proceed with uploading the image
+            //$upload = wp_upload_bits($_FILES["image"]["name"], null, file_get_contents($_FILES["image"]["tmp_name"]));
+        } else {
+            $upload['url'] = sanitize_text_field($_REQUEST['image_hidden']);
+        }
+        // Insert into the database
+        $wpdb->insert(
+            $table_name,
+            array(
+                'title' => sanitize_text_field($title), // Ensure title is sanitized properly
+                'link' => esc_url_raw($link),
+                'created' => time(),
+                'publish' => sanitize_text_field($publish),
+                'target' => sanitize_text_field($target),
+                'image' => esc_url_raw($upload['url'])
+            ),
+            array('%s', '%s', '%d', '%s', '%s', '%s')
+        );
+        // Redirect with success message
+        $displayUrl = $_SERVER['HTTP_REFERER'] . '&addmsg=Added Successfully';
+        echo "<script type='text/javascript'>location.href = '" . esc_url($displayUrl) . "';</script>";
+        die(0);
+    }
+}
+/* Edit custom URL */
 add_action('wp_ajax_edit_sponser', 'process_edit_sponser');
+function process_edit_sponser(){
+        if ( empty($_POST) || !wp_verify_nonce($_POST['edit-sponser-url'],'edit_sponser') ) {
+            echo 'You targeted the right function, but sorry, your nonce did not verify.';
+            die();
+        } else {
+            global $wpdb;
+            $table_name = $wpdb->prefix."sponser_link";
+            $title      = sanitize_text_field($_REQUEST['title']);
+            $link       = sanitize_text_field($_REQUEST['link']);
+            $publish    = sanitize_text_field($_REQUEST['publish']);
+            $target  =  sanitize_text_field($_REQUEST['target']);
+            if($_FILES["image"]["name"] == ''){
+                $upload['url']     =sanitize_text_field($_REQUEST['image_hidden']);
+            }
+            else{
+                $upload     = wp_upload_bits($_FILES["image"]["name"], null, wp_remote_get($_FILES["image"]["tmp_name"]));
+function process_edit_sponser() {
+    // Verify nonce for security
+    if ( empty($_POST) || !wp_verify_nonce($_POST['edit-sponser-url'],'edit_sponser') ) {
+        echo 'You targeted the right function, but sorry, your nonce did not verify.';
+        die();
+    } else {
+        global $wpdb;
+        $table_name = $wpdb->prefix . "sponser_link";
+        // Validation: Ensure title and link are non-empty and correct format
+        $title = isset($_REQUEST['title']) ? sanitize_text_field($_REQUEST['title']) : ''; // sanitize text field for title
+        $link = isset($_REQUEST['link']) ? esc_url_raw($_REQUEST['link']) : '';
+        $publish = isset($_REQUEST['publish']) ? sanitize_text_field($_REQUEST['publish']) : '';
+        $target = isset($_REQUEST['target']) ? sanitize_text_field($_REQUEST['target']) : '';
+        // Basic validation: Check if the title is too short or contains non-text characters
+        if (strlen($title) < 5) {
+            echo 'Title is too short, must be at least 5 characters.';
+            die();
+        }
+        // Regex to allow only letters and spaces (no numbers, no special characters)
+        if (!preg_match('/^[a-zA-Z0-9\s]+$/', $title)) {
+            echo 'Title contains invalid characters. Only letters and spaces are allowed.';
+            die();
+        }
+        // Handle file upload and validate the image file
+        if ($_FILES["image"]["name"] == '') {
+            $upload['url'] = sanitize_text_field($_REQUEST['image_hidden']);
+        } else {
+            // Validate image type (e.g., JPG, PNG, GIF)
+            $allowed_types = array('image/jpeg', 'image/png', 'image/gif');
+            $file_type = mime_content_type($_FILES["image"]["tmp_name"]);
+            if (!in_array($file_type, $allowed_types)) {
+                echo 'Invalid image type. Only JPG, PNG, or GIF allowed.';
+                die();
+            }
+            $id         =  sanitize_text_field($_REQUEST['id']);
+            $wpdb->update(
+                $table_name,
+                array(
+                    'title'    => $title,
+                    'link'     => $link,
+                    'publish'  => $publish,
+                    'target'  => $target,
+                    'image'      => $upload['url']
+                ),
+                array( 'id' =>  $id ),
+                array(
+                    '%s',
+                    '%s',
+                    '%s',
+                    '%s',
+                    '%s'
+                ),
+                array( '%d' )
+            );
+            $displayUrl2 = $_SERVER['HTTP_REFERER'];
+            $Location22 = explode('&', $displayUrl2);
+            echo "<script type='text/javascript'>location.href = '" . esc_url($Location22[0]).'&editmsg=Update Successfully'. "';</script>";
+            die(0);
+    }
+}
+            // Sanitize the file name to prevent issues
+            $filename = sanitize_file_name($_FILES["image"]["name"]);
+            // Get the temporary file path
+            $tmp_name = $_FILES["image"]["tmp_name"];
+            $upload_overrides = array( 'test_form' => false );
+            // Handle the upload
+            if ($_FILES["image"]["error"] === UPLOAD_ERR_OK) {
+                // Create the uploaded file array
+                $uploadedfile = array(
+                    'name'     => $filename,
+                    'type'     => $_FILES["image"]["type"],
+                    'tmp_name' => $tmp_name,
+                    'error'    => $_FILES["image"]["error"],
+                    'size'     => $_FILES["image"]["size"]
+                );
+                // Upload the file
+                $upload = wp_handle_upload($uploadedfile, $upload_overrides);
+                // Check if the upload was successful
+                if ($upload && !isset($upload['error'])) {
+                    //echo esc_html("File uploaded successfully!");
+                    //print_r($upload); // This will show the file path, URL, and other details
+                    $editImgUrl = esc_url_raw($upload['url']);
+                } else {
+                    echo esc_html("Upload failed.");
+                    // Display specific upload error, safely escaped
+                    echo esc_html("Error: " . $upload['error']);
+                }
+            } else {
+                echo esc_html("Error uploading file: " . $_FILES["image"]["error"]);
+            }
+            // Proceed with uploading the image
+            //$upload = wp_upload_bits($_FILES["image"]["name"], null, file_get_contents($_FILES["image"]["tmp_name"]));
+        }
+        $id = sanitize_text_field($_REQUEST['id']);
+        // Update the record in the database
+        $wpdb->update(
+            $table_name,
+            array(
+                'title' => sanitize_text_field($title), // Ensure title is sanitized properly
+                'link' => esc_url_raw($link),
+                'publish' => sanitize_text_field($publish),
+                'target' => sanitize_text_field($target),
+                'image' => $editImgUrl
+            ),
+            array('id' => $id),
+            array('%s', '%s', '%s', '%s', '%s'),
+            array('%d')
+        );
+        // Redirect with success message
+        $displayUrl = $_SERVER['HTTP_REFERER'] . '&editmsg=Edited Successfully';
+        echo "<script type='text/javascript'>location.href = '" . esc_url($displayUrl) . "';</script>";
+        die(0);
+    }
+}
 /*setting custom url*/

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3198788

Legend:

sponsered-link/trunk/readme.txt

sponsered-link/trunk/sponserlink.php

Download in other formats: