Skip to:
Content
Pages
Categories
Search
Top
Bottom

Is my activity editor safe?


  • btees
    Participant

    @btees

    4 years, 8 months ago

    In entry.php I’ve added the below form so that the person who posted the activity can edit it:

    
<?php 
$user = bp_get_activity_user_id();
$viewer = get_current_user_id();
if ($user == $viewer) :?>
<form class="edit-hidder" id="posteditor-<?php echo bp_get_activity_id();?>" action="<?php echo esc_url( admin_url('admin-post.php') ); ?>?action=add_foobar" method="post">
		 <input type="hidden" name="activity_id" value="<?php echo bp_get_activity_id();?>">
		
		<div id="whats-new-textarea">
		<label>Edit Fields Below</label><br>
		<label>Name of product or service *</label>
		<input type="text" name="title" id="title" required="" style="outline: none;" value="<?php echo $title;?>">
			<label>Description*</label><textarea required="" name="whats-new" id="new-post" class="bp-suggestions" cols="50" rows="10"><?php echo strip_tags(bp_get_activity_content_body());?></textarea>
	
</div>
		 <?php $result = $wpdb->get_results ( "SELECT * FROM wp_bp_xprofile_fields WHERE id='2'" );
    foreach ( $result as $print )   { ;?>
				<div class="halfer"><label>Industry*</label><select name="bpcat" id="bpcat" required>
		  <?php $options = $wpdb->get_results ( "SELECT * FROM wp_bp_xprofile_fields WHERE parent_id='$print->id'" );
      foreach ( $options as $option )   { ;?>
    	
    <option class="<?php echo $option->name;?>" name ="field_<?php echo $print->id;?>_match_any[]"value="<?php echo $option->name;?>" <?php if ($insearchof == $option->name) { echo 'selected';}?>><?php echo $option->name;?></option>
          <?php } ;?> 
		</select></div>
		
		<div class="halfer"><label>Region</label><input type="text" name="region" id="region" placeholder="Optional (e.g Toronto)" value="<?php echo $region;?>"></div>

		<div class="halfer"><label>Bugdet</label><input type="text" name="budget" id="budget" placeholder="$" value="<?php echo $budget;?>"></div>
		
		<div class="halfer"><label>Payment Method</label><select name="paymeth" id="paymeth">
		<option disabled>Any preferred method</option>
<option <?php if ($paymeth == 'Credit') { echo 'selected';}?> value="Credit">Credit</option>
<option <?php if ($paymeth == 'Debit') { echo 'selected';}?> value="Debit">Debit</option>
<option <?php if ($paymeth == 'Cheque') { echo 'selected';}?> value="Cheque">Cheque</option>
<option <?php if ($paymeth == 'Money Order') { echo 'selected';}?> value="Money Order">Money Order</option>
<option <?php if ($paymeth == 'Cash') { echo 'selected';}?> value="Cash">Cash</option>
<option <?php if ($paymeth == 'Payment Plan') { echo 'selected';}?> value="Payment Plan">Payment Plan</option>
</select>
</div>
<div class="halfer"><label>Delivery Method</label><select name="delmeth" id="delmeth">
<option <?php if ($delmeth == 'Any Method') { echo 'selected';}?> value="Any Method">Any Method</option>
<option <?php if ($delmeth == 'Parcel') { echo 'selected';}?> value="Parcel">Parcel</option>
<option <?php if ($delmeth == 'None') { echo 'selected';}?> value="None">None</option>
<option <?php if ($delmeth == 'Hand deliver') { echo 'selected';}?> value="Hand deliver">Hand deliver</option>
<option <?php if ($delmeth == 'Pick Up Depending On Location') { echo 'selected';}?> value="Pick Up Depending On Location">Pick Up Depending On Location</option>
</select>
</div>
<div class="fullwidth"><label>Additional Notes</label>
<textarea placeholder="Optional" name="addnotes" id="addnotes"><?php echo $addnotes; ?></textarea></div>
		<input type="hidden" value="open" name="status">
		<?php } ; ?>
				<input type="submit" value="Submit">
			</form>
<?php endif;?>

    Then in bp-custom.php the new info is submitted to the database like so:

    
function prefix_admin_add_foobar( $activity_id ){ 
global $wpdb;
$table_name = $wpdb->prefix . "_bp_activity";
  $wpdb->update( 
	'wp_bp_activity', 
	array( 
		'content' => $_POST['whats-new'] // string
				), 
	array( 'id' => $_POST['activity_id'] )
);
  bp_activity_update_meta( $_POST['activity_id'], 'bpcat', $_POST['bpcat'] );
	bp_activity_update_meta( $_POST['activity_id'], 'budget', $_POST['budget'] );
	bp_activity_update_meta( $_POST['activity_id'], 'datereq', $_POST['datereq'] );
	bp_activity_update_meta( $_POST['activity_id'], 'freq', $_POST['freq'] );
	bp_activity_update_meta( $_POST['activity_id'], 'title', $_POST['title'] );
	bp_activity_update_meta( $_POST['activity_id'], 'prodserv', $_POST['prodserv'] );
	bp_activity_update_meta( $_POST['activity_id'], 'paymeth', $_POST['paymeth'] );
	bp_activity_update_meta( $_POST['activity_id'], 'delmeth', $_POST['delmeth'] );
	bp_activity_update_meta( $_POST['activity_id'], 'addnotes', $_POST['addnotes'] );
	
	    wp_redirect( home_url() . '/members/' . bp_core_get_username( get_current_user_id()).'/activity/my-posts/#item-body' ,302 ); 
   
}

add_action( 'admin_post_add_foobar', 'prefix_admin_add_foobar' );
add_action( 'admin_post_nopriv_add_foobar', 'prefix_admin_add_foobar' );

    Is this safe?

    If not, how do I go about improving it?

  • You must be logged in to reply to this topic.

Topic Info

Topic Tags

Skip to toolbar