Skip to content

Instantly share code, notes, and snippets.

@Shelob9
Last active September 19, 2019 13:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Shelob9/14df451906a17edf7be2ca1a2db9994d to your computer and use it in GitHub Desktop.
Save Shelob9/14df451906a17edf7be2ca1a2db9994d to your computer and use it in GitHub Desktop.
<?php
add_action('wp_ajax_get_option', function () {
if (empty($_GET['_my_nonce']) || wp_verify_nonce($_GET['_my_nonce'],
'my-nonce-action') || !current_user_can('something')) {
wp_send_json_error();
exit;
}
});
<?php
class MyDbClass
{
public $entryId;
function __construct()
{
}
public function setId( $entryId ){
$this->entryId = absint($entryId);
if( ! $this->entryBelongsToUser($entryId ) ){
throw new \Exception('You shall not pass', 400 );
}
}
function __wakeup()
{
global $wpdb;
//SHOULD BE sanitizing entry ID here and using $wpdb->prepare()
$wpdb->get_results("SELECT `*` FROM table WHERE `id` = %s", $this->entryId );
}
protected function entryBelongsToUser(){}
}
//If we have:
$savedEntry = unserialize($_GET['data']);
//Then this URL could cause that SQL query to run, and sanitization of entry Id will be bypassed.
//http://somewordpresssite.com/?data=O:9:"MyDbClass":1:{s:7:"entryId";i:11;}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment