[wp-hackers] Couple of quick questions: restrict access to plugin
file and loading of l10n
Andrew Ozz
admin at laptoptips.ca
Fri Oct 19 17:40:42 GMT 2007
Hi, I need a bit of advice about a plugin I'm working on.
1. I've read the discussion about restricting access to a plugin's php
file from about a month ago and agree that there's no substitute for
properly escaping and sanitizing user input, POST and GET requests,
using wp_nonce, etc. But good security is build in layers, so I'm
thinking to restrict the loading of the plugin's main php file like that:
if( strpos($_SERVER['REQUEST_URI'], 'my-plugin.php') !== false &&
strpos($_SERVER['REQUEST_URI'], 'wp-admin') === false )
exit('some error message');
(load my-plugin.php only if it's requested by a script from wp-admin
directory).
Or even the more restrictive:
if ( strpos($_SERVER['REQUEST_URI'], 'my-plugin.php') !== false &&
! ('options-general.php' == basename($_SERVER['SCRIPT_FILENAME']) ||
'plugins.php' == basename($_SERVER['SCRIPT_FILENAME']) ||
'wp-login.php' == basename($_SERVER['SCRIPT_FILENAME'])) )
exit('some error message');
(load my-plugin.php only if it's requested by options-general, wp-login
or plugins.php).
Does anyone see any problems with using these? I've tested both on my
LAMP server and all seems to work fine in WordPress 2.2 and 2.3.
2. I'm providing .pot file for easy translation and (of course) using
load_plugin_textdomain to load the translations.
How "late" can I call it? I see some plugins use the "init" or
"plugins_loaded" hooks but that would load the translation on every run
- another 25-30KB - whether it's needed or not.
I've tried loading it at the beginning of the plugin's options page and
it works well on the test server, but was wondering if that's not "too
late". Does anyone have experience with this?
Thanks a lot,
Andrew
More information about the wp-hackers
mailing list