Php Wordpress搜索过滤代码[工作]帮助我改进(安全吗?)
更新问题。经过大量愚蠢的尝试和错误之后,我找到了如何处理一组标签,我的解决方案,也包括post_类型和自定义分类法,对于其他正在寻找解决方案的人来说,如下所示。是否有任何改进建议,更重要的是,我是否缺少一些可能导致XSS/注入攻击的消毒措施?我使用esc_attr对一些数值进行了int转换,并转义了一些属性,resst类依赖于更高级别的wordpress函数,但我想确保这一点 另外,使用这里的常规方法,是否有更好的方法发送一个内爆字符串以首先获取,而不是数组var[]=value&var[]=value2&var[]=value3。。。形式?这将有助于在搜索大量标记等时保持url的完整性 表格Php Wordpress搜索过滤代码[工作]帮助我改进(安全吗?),php,wordpress,get,Php,Wordpress,Get,更新问题。经过大量愚蠢的尝试和错误之后,我找到了如何处理一组标签,我的解决方案,也包括post_类型和自定义分类法,对于其他正在寻找解决方案的人来说,如下所示。是否有任何改进建议,更重要的是,我是否缺少一些可能导致XSS/注入攻击的消毒措施?我使用esc_attr对一些数值进行了int转换,并转义了一些属性,resst类依赖于更高级别的wordpress函数,但我想确保这一点 另外,使用这里的常规方法,是否有更好的方法发送一个内爆字符串以首先获取,而不是数组var[]=value&var[]=v
<form method="get" action="<?php bloginfo('url'); ?>">
<fieldset>
<!-- KEYWORD -->
<input type="text" name="s" value="<?php echo (is_search()) ? the_search_query() : '' ?>" placeholder="search…" maxlength="50" />
<!-- POST TYPES -->
<?php
// set post types that I want to expose
$post_types = array ("fotograf","yazi","afis","video","ses");
// get queried post types (see functions.php, this never defaults to 'any')
$query_types = get_query_var('post_type');
// print checkbox per post type, always part of the query per functions.php, so I skipped isqueried
foreach ($post_types as $post_type): ?>
<input type="checkbox" name="post_type[]" value="<?php echo $post_type ?>" <?php checked( in_array( $post_type, $query_types ) );?> /><label><?php echo $post_type ?></label>
<?php endforeach; ?>
<!-- TAGS -->
<?php
// generate list of tags
$tags = get_tags();
// get queried tags (see functions.php, I choose to use 'tag_slug__in', but you could probably explode the comma separated 'tag' string)
$query_tags = get_query_var('tag_slug__in');
// check if any tags are in the GET (for creating checked checkboxes below)
$isqueried = isset($_GET['tags']);
// print checkbox per tag, pre-checked if part of the query, I defaulted to not checking any if the search implicitly covers all tags, since it would be a bother to uncheck them
foreach ($tags as $tag): ?>
<input type="checkbox" name="tags[]" value="<?php echo $tag->slug ?>" <?php if ($isqueried){ checked( in_array( $tag->slug , $query_tags ) ); } ?> /><label><?php echo $tag->slug ?></label>
<?php endforeach; ?>
<!-- DATE -->
<?php $isqueried = isset($_GET['after']); ?>
<input type="number" name="after" value="<?php echo ($isqueried) ? esc_attr($_GET['after']) : '' ?>" maxlength="4" />
<?php $isqueried = isset($_GET['before']); ?>
<input type="number" name="before" value="<?php echo ($isqueried) ? esc_attr($_GET['before']) : '' ?>" maxlength="4" />
<!-- CITIES -->
<?php
// generate list of terms
$cities = get_terms('sehir');
// explode queried terms into array, alternately could check if part of string below
$query_cities = explode(',' , get_query_var('sehir'));
// check if the term was queried
$isqueried = isset($_GET['city']);
// print checkbox per tag, pre-checked if part of the query, I defaulted to not checking any if the search implicitly covers all tags, since it would be a bother to uncheck them
foreach ($cities as $city): ?>
<input type="checkbox" name="city[]" value="<?php echo $city->slug ?>" <?php if ($isqueried){ checked( in_array( $city->slug , $query_cities ) ); } ?> /><label><?php echo $city->name ?></label>
<?php endforeach; ?>
<button type="submit">Search</button>
</fieldset>
</form>
这是get
在查询中返回数组[]
的正确行为。要获得所需内容,您必须在提交后使用内爆()
或类似工具修改$\u get
。还要注意,只有在用户勾选框时,您才能获得值。如果没有,它将根本无法通过,它将不存在(如果你不知道的话)。你应该确保使用isset()
进行检查,这样你就不会内爆()。我将如何设置复选框,以便根据查询选中它们?查看更新的问题。我发现只要我不将它们命名为“tag”,我就可以将其内爆。在这种情况下,wordpress的查询字符串处理功能将接管,请再次查看更新的问题。
function filter_search_query($query) {
if($query->is_search()) {
// get original meta query
$meta_query = $query->get('meta_query');
if (!empty($_GET['after']))
{
$after = intval($_GET['after']);
//Add our meta query to the original meta queries
$meta_query[] = array(
'key' => 'tarih',
'value' => $after,
'compare' => '>=',
);
}
if (!empty($_GET['before']))
{
$before = intval($_GET['before']);
//Add our meta query to the original meta queries
$meta_query[] = array(
'key' => 'tarih',
'value' => $before,
'compare' => '<=',
);
}
// update the meta query args
$query->set('meta_query', $meta_query);
// if the user GETed any tags, set that array to tag_slug__in ( you could explode the array to comma separated string and pass it by tag too I think)
if (isset($_GET['tags']) && is_array($_GET['tags'])) {
$tags = explode ('_', sanitize_key( implode('_', $_GET['tags']) ));
$query->set('tag_slug__in', $tags);
}
// if the user GETed any cities, set that array to compare with taxonomy('sehir') ( you could explode the array to comma separated string and pass it by tag too I think)
if (isset($_GET['city']) && is_array($_GET['city'])) {
$query_cities = sanitize_key( implode(',' , $_GET['city']) );
$query->set( 'sehir', $query_cities );
}
// limit to these post types if not declared in GET
if (!isset($_GET['post_type'])) {
$default_post_types = array ("fotograf","yazi","afis","video","ses");
$query->set('post_type', $default_post_types);
}
return $query;
}
}
add_action('pre_get_posts', 'filter_search_query', 1000);