0

Is there a way to insert data from a WordPress custom field into a custom file instead of into the MySQL database?

The reason I want to do this is because I am trying to set up a custom field as a sort of PHP sandbox for the user and I would like to just use include filename.php in a template file and avoid inserting PHP data into the database and the security vulnerabilities that come along with this, or worse having to use eval after the data has been retrieved from the database.

I'm open to any other suggestions to accomplish this, but I think the easiest would be to store the data in a random php file and circumvent the database altogether.

Improve this question
2
  • 2
    And you think putting user entered PHP into a file on the server isn't a security vulnerability...? Commented Jan 12, 2013 at 21:00
  • That's a good point, I suppose it's a bad idea all around. Commented Jan 14, 2013 at 0:29

1 Answer 1

Reset to default
1

let me preface this by saying:

this is a bad idea

Your idea is to have end users upload PHP scripts that you will then execute on your server. Whats to stop an attacker from uploading a script like this:

<?php
// get a list of all of the wp-config.php files available to this user
$configs = shell_exec("cd ~ && find `pwd` -name wp-config.php");
// go through every match and email the contents 
// of the file to my super secret hacker email or whatever
// btw i now have mysql credentials for all of your wp sites.
?>

And that isn't even imaginative.

that said here is how to do it

Download and install https://github.com/fyaconiello/WP_Bad_Idea as a plugin on your WP site

Then add this to your theme's single-attack_post.php

<h3>THE CODE</h3>
<pre>
<?php include($post->attack_code); ?>
</pre>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you, I may end up not doing this it seems like there's no way around the potential for evil.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.