2. Plugins are tools to extend the functionality of WordPress. Q: Has anyone here ever developed a WordPress plugin?
3. Are you wishing that WordPress had some new or modified feature? Always check the WordPress Plugin Repository first! No one wants to re-invent the wheel. Chances are that someone else has already created a plugin that would suite your needs.
4. Plugins live in /wp-content/plugins/ The plugin header lets WordPress know that this file is a plugin. <?php /* Plugin Name: Vox Importer Plugin URI: http://wordpress.org/extend/plugins/vox-importer/ Description: Import posts, comments, tags, and attachments from a Vox.com blog. Author: Automattic, Brian Colinger Author URI: http://automattic.com/ Version: 0.6 License: GPL v2 - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html */ ?>
6. <?php function my_awesome_function() { $_POST = array_map( 'stripslashes', $_POST ); // ...Insert something into the database } my_awesome_function(); ?> What’s wrong with this code?
7. The proper way of doing this is to wrap this line with a conditional statement: $_POST = array_map( 'stripslashes_deep', $_POST ); stripslashes_deep() is a WordPress function that can properly handle multi-dimensional arrays.
9. You could wrap the array_map code in a conditional check to make sure that you only run this code on this page. if ( 'my-awesome-plugin' == $_GET['page'] ) { $_POST = array_map( 'stripslashes_deep', $_POST ); }
10. Another way would be to create a nonce field in the submission form and check for it before processing the POST data. Add this to your form: <input name="update_settings" type="hidden" value="<?phpecho wp_create_nonce('update_settings'); ?>" /> In your plugin form handler function add this: if ( !wp_verify_nonce( $_POST['update_settings'], 'update_settings' ) ) return; Or you could check the referrer:check_admin_referer( $_GET['action'],'update_settings');
Editor's Notes
With this header in place, your plugin will be listed on the Plugins admin screen.You will have to click the Activate link for the plugin to actually be enabled.
If my_awesome_function() is part of a plugin, this function will be called on every page load.The bad part is the array_map of stripslashes on the $_POST array.This is what happens when I code without caffeine! Anytime the $_POST array is present, each element of that array will be stripped of slashes.Why is this bad? If the $_POST array contained a nested array, that array would be trashed and converted to a string == ‘Array’. Oopse...
This only fixes part of the problem.Lets say that your plugin has an admin screen with a simple form. When the user clicks the submit button, you want to take that POST data and save it to the database. You need to make sure that your plugin’s form processor only executes when the $_POST array comes from it’s admin screen.
There are a couple of ways to do this. Most admin screens will have a page slug associated with them. For example, if you have a settings screen for your plugin, the URL to it should be something like:
