Fatal编程技术网
  • php/
  • Php Wordpress搜索过滤代码[工作]帮助我改进(安全吗?)

Php Wordpress搜索过滤代码[工作]帮助我改进(安全吗?)

php wordpress

Php Wordpress搜索过滤代码[工作]帮助我改进(安全吗?),php,wordpress,get,Php,Wordpress,Get,更新问题。经过大量愚蠢的尝试和错误之后,我找到了如何处理一组标签,我的解决方案,也包括post_类型和自定义分类法,对于其他正在寻找解决方案的人来说,如下所示。是否有任何改进建议,更重要的是,我是否缺少一些可能导致XSS/注入攻击的消毒措施?我使用esc_attr对一些数值进行了int转换,并转义了一些属性,resst类依赖于更高级别的wordpress函数,但我想确保这一点 另外,使用这里的常规方法,是否有更好的方法发送一个内爆字符串以首先获取,而不是数组var[]=value&var[]=v

更新问题。经过大量愚蠢的尝试和错误之后,我找到了如何处理一组标签,我的解决方案,也包括post_类型和自定义分类法,对于其他正在寻找解决方案的人来说,如下所示。是否有任何改进建议,更重要的是,我是否缺少一些可能导致XSS/注入攻击的消毒措施?我使用esc_attr对一些数值进行了int转换,并转义了一些属性,resst类依赖于更高级别的wordpress函数,但我想确保这一点

另外,使用这里的常规方法,是否有更好的方法发送一个内爆字符串以首先获取,而不是数组var[]=value&var[]=value2&var[]=value3。。。形式?这将有助于在搜索大量标记等时保持url的完整性

表格

<form method="get" action="<?php bloginfo('url'); ?>">
  <fieldset>
    <!-- KEYWORD -->
    <input type="text" name="s" value="<?php echo (is_search()) ? the_search_query() : '' ?>" placeholder="search&hellip;" maxlength="50" />

    <!-- POST TYPES -->
    <?php
    // set post types that I want to expose
    $post_types = array ("fotograf","yazi","afis","video","ses");
    // get queried post types (see functions.php, this never defaults to 'any')
    $query_types = get_query_var('post_type');
    // print checkbox per post type, always part of the query per functions.php, so I skipped isqueried
    foreach ($post_types as $post_type): ?>

      <input type="checkbox" name="post_type[]" value="<?php echo $post_type ?>" <?php checked( in_array( $post_type, $query_types ) );?> /><label><?php echo $post_type ?></label>

    <?php endforeach; ?>

    <!-- TAGS -->
    <?php
    // generate list of tags
    $tags = get_tags();
    // get queried tags (see functions.php, I choose to use 'tag_slug__in', but you could probably explode the comma separated 'tag' string)
    $query_tags = get_query_var('tag_slug__in');
    // check if any tags are in the GET (for creating checked checkboxes below)
    $isqueried = isset($_GET['tags']);
    // print checkbox per tag, pre-checked if part of the query, I defaulted to not checking any if the search implicitly covers all tags, since it would be a bother to uncheck them
    foreach ($tags as $tag): ?>

      <input type="checkbox" name="tags[]" value="<?php echo $tag->slug ?>" <?php if ($isqueried){ checked( in_array( $tag->slug , $query_tags ) ); } ?> /><label><?php echo $tag->slug ?></label>

    <?php endforeach; ?>

    <!-- DATE -->
    <?php $isqueried = isset($_GET['after']); ?>
    <input type="number" name="after" value="<?php echo ($isqueried) ? esc_attr($_GET['after']) : '' ?>" maxlength="4" />
    <?php $isqueried = isset($_GET['before']); ?>
    <input type="number" name="before" value="<?php echo ($isqueried) ? esc_attr($_GET['before']) : '' ?>" maxlength="4" />

    <!-- CITIES -->
    <?php
    // generate list of terms
    $cities = get_terms('sehir');
    // explode queried terms into array, alternately could check if part of string below
    $query_cities = explode(',' , get_query_var('sehir'));
    // check if the term was queried
    $isqueried = isset($_GET['city']);
    // print checkbox per tag, pre-checked if part of the query, I defaulted to not checking any if the search implicitly covers all tags, since it would be a bother to uncheck them
    foreach ($cities as $city): ?>

      <input type="checkbox" name="city[]" value="<?php echo $city->slug ?>" <?php if ($isqueried){ checked( in_array( $city->slug , $query_cities ) ); } ?> /><label><?php echo $city->name ?></label>

    <?php endforeach; ?>


    <button type="submit">Search</button>
  </fieldset>
</form>

这是
get
在查询中返回数组
[]
的正确行为。要获得所需内容,您必须在提交后使用
内爆()
或类似工具修改
$\u get
。还要注意,只有在用户勾选框时,您才能获得值。如果没有,它将根本无法通过,它将不存在(如果你不知道的话)。你应该确保使用
isset()
进行检查,这样你就不会
内爆()。我将如何设置复选框,以便根据查询选中它们?查看更新的问题。我发现只要我不将它们命名为“tag”,我就可以将其内爆。在这种情况下,wordpress的查询字符串处理功能将接管,请再次查看更新的问题。

function filter_search_query($query) {

if($query->is_search()) {

    // get original meta query
    $meta_query = $query->get('meta_query');

    if (!empty($_GET['after']))
    {
        $after = intval($_GET['after']);

        //Add our meta query to the original meta queries
        $meta_query[] = array(
            'key'       => 'tarih',
            'value'     => $after,
            'compare'   => '>=',
        );
    }

    if (!empty($_GET['before']))
    {
        $before = intval($_GET['before']);

        //Add our meta query to the original meta queries
        $meta_query[] = array(
            'key'       => 'tarih',
            'value'     => $before,
            'compare'   => '<=',
        );
    }

    // update the meta query args
    $query->set('meta_query', $meta_query);

    // if the user GETed any tags, set that array to tag_slug__in ( you could explode the array to comma separated string and pass it by tag too I think)
    if (isset($_GET['tags']) && is_array($_GET['tags'])) {
        $tags = explode ('_', sanitize_key( implode('_', $_GET['tags']) ));
        $query->set('tag_slug__in', $tags);
    }

    // if the user GETed any cities, set that array to compare with taxonomy('sehir') ( you could explode the array to comma separated string and pass it by tag too I think)
    if (isset($_GET['city']) && is_array($_GET['city'])) {
        $query_cities =  sanitize_key( implode(',' , $_GET['city']) );
        $query->set( 'sehir', $query_cities );
    }

    // limit to these post types if not declared in GET
    if (!isset($_GET['post_type'])) {
        $default_post_types = array ("fotograf","yazi","afis","video","ses");
        $query->set('post_type', $default_post_types);
    }

    return $query;
  }

}
add_action('pre_get_posts', 'filter_search_query', 1000);