I have inherited a WordPress site that uses the RunPHP plugin to execute snippets of PHP code between posts. I have the feeling that this is not the best way to implement such functionality. But since this is legacy code that has been functionally correct for a very long time, I will need some convincing examples of problematic scenarios.
For those unfamiliar with RunPHP, this is a plugin that executes PHP code embedded inside a Post body or page using eval (). The code block is never received from the user, but entered into the database by the site owner / content creator.
An example of using this plugin in our context is as follows.
The form is created as a message, the sending action of which is set on the page (let's call the form handler). The form handler contains the PHP code in its body, and the RunPHP plugin is activated for this page. When the form is submitted, the form handler receives the data and the PHP code in its body is executed.
This, in addition to some rather glaring security problems, is in the code of the form handler (dynamic evaluation of variables by the user, lack of input processing, lack of parameterized SQL queries).
Can someone here check my doubts about the execution code execution plugins in WP?
Great importance.
The form code in the message is
<form action="/?p=1234" method="post"> <input name="foobar" type="text" /> <input type="submit" /> </form>
Handler code on the page (it is stored in the database and eval () - ed at run time) -
<?php $foobar = $_POST["foobar"];
source share