{"id":230412,"date":"2022-12-09T11:37:00","date_gmt":"2022-12-09T08:37:00","guid":{"rendered":"https:\/\/wordpress.mediadoma.com\/?p=230412"},"modified":"2022-12-07T11:58:47","modified_gmt":"2022-12-07T08:58:47","slug":"turvaline-wordpressi-vormi-esitamine","status":"publish","type":"post","link":"https:\/\/wordpress.mediadoma.com\/et\/turvaline-wordpressi-vormi-esitamine\/","title":{"rendered":"Turvaline WordPressi vormi esitamine"},"content":{"rendered":"\n<p>Aastaid tagasi kirjutasin postituse, milles jagasin avalikku funktsiooni, et teha kindlaks, kas kasutajal on \u00f5igusi salvestada teavet WordPressi andmebaasi. Algsesse sisu kogu oma vananenud hiilguses (koos soliidsete kommentaaridega) n\u00e4ete <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/4468321\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">siin<\/a><\/strong> (see on isegi viis aastat vana \u2013 vau).<\/p>\n<p>Nagu iga programmeerimisega seotud puhul, l\u00e4heb aeg, asjad viimistletakse ja asjad [loodetavasti] l\u00e4hevad paremaks kui varem.<\/p>\n<p>Kuigi ma kasutan ja soovitan endiselt funktsiooni <strong>user_can_save<\/strong> (v\u00f5i <strong>userCanSave<\/strong>) varianti, arvan ka, et on oluline l\u00e4bida p\u00e4ringu kontrollimise protsessi eraldamise protsess.<\/p>\n<p>Nii et n\u00fc\u00fcd ei ole vaja ainult kindlaks teha, kas kasutajal on \u00f5igused, vaid ka kliendilt tuleva turbeteabe kontrollimine \u2013 olgu see siis serverisse tagasipostituse v\u00f5i Ajaxi kaudu tehtud p\u00e4ringu kaudu \u2013 ja seda heade programmeerimistehnikate abil, mis \u00fchtlustavad. nii WordPressi kui PHP-ga.<\/p>\n<p>Selguse huvides on see rohkem WordPressi vormi turvaline esitamine suvandite lehelt v\u00f5i seadete lehelt, mitte n\u00e4iteks mallilt p\u00e4rinev vorm. See on teine \u200b\u200bpostitus teiseks korraks.<\/p>\n<p>Siiski on palju inimesi, kes t\u00f6\u00f6tavad WordPressis rakenduste loomise kallal ja mis n\u00f5uavad j\u00e4rgmist.<\/p>\n<h2>Turvaline WordPressi vormi esitamine<\/h2>\n<p>Selles postituses ei hakka ma tegelema \u00fcksikasjadega, et teha kindlaks, kas miski on <strong><a href=\"https:\/\/codex.wordpress.org\/Function_Reference\/wp_is_post_autosave\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">automaatne salvestamine<\/a><\/strong> v\u00f5i <strong><a href=\"https:\/\/codex.wordpress.org\/Function_Reference\/wp_is_post_revision\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">postituse l\u00e4bivaatamine.<\/a><\/strong><\/p>\n<\/p>\n<p>Siiski k\u00e4sitlen ma sissetuleva teabe valideerimise eest vastutava funktsiooni v\u00f5tmise protsessi, kasutades selleks kaasaegset l\u00e4henemist, kasutades objektorienteeritud tavasid ja nii WordPressi API-sid kui ka PHP funktsioone.<\/p>\n<h3>1 Alustades \u00fcldisest tasemest<\/h3>\n<p>P\u00f5hitasandilt oletame, et on olemas baasklass, millest on ka teisi alamklasse, mis seda funktsiooni v\u00f5imendavad. See \u00fctleb meile, et peame kasutama kaitstud n\u00e4htavuse modifikaatorit.<\/p>\n<p>Teame ka, et tegeleme WordPressi nonce-v\u00e4\u00e4rtuse ja sellega seotud toiminguga. See t\u00e4hendab, et <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-00-function-signature-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">funktsiooni allkiri n\u00e4eb v\u00e4lja umbes selline<\/a><\/strong> :<\/p>\n<pre><code>&lt;?php\nprotected function verifyRequest($nonce, $action);<\/code><\/pre>\n<h3>2 Desinfitseerige andmed, veenduge, et puuduvad<\/h3>\n<p>Mis puudutab k\u00f5ike, mis serverisse postitatakse, siis teame, et peame kontrollima, kas andmed on seatud, ja kui jah, siis peame teabe desinfitseerima.<\/p>\n<p>See t\u00e4hendab, et vajame j\u00e4rgmisi funktsioone:<\/p>\n<ul>\n<li><a href=\"https:\/\/php.net\/manual\/en\/function.isset.php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">isset<\/a><\/li>\n<li><a href=\"https:\/\/php.net\/manual\/en\/function.strip-tags.php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">riba_sildid<\/a><\/li>\n<li><strong><a href=\"https:\/\/php.net\/manual\/en\/function.stripslashes.php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">kaldkriipsud<\/a><\/strong><\/li>\n<\/ul>\n<p>Ja me teame ka, et peame kontrollima nonce&#8217;i, seega vajame ka <strong><a href=\"https:\/\/codex.wordpress.org\/Function_Reference\/wp_verify_nonce\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">faili wp_verify_nonce<\/a><\/strong>.<\/p>\n<h3>3 T\u00f6\u00f6korras esimene l\u00e4bimine<\/h3>\n<p>Selle funktsiooni toimiv esimene l\u00e4bimine v\u00f5ib v\u00e4lja n\u00e4ha umbes <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-00-verify-request-1-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">selline:<\/a><\/strong><\/p>\n<pre><code>&lt;?php\nprotected function verifyRequest($nonce, $action)\n{\n    return isset($_GET[$nonce]) &amp;&amp;\n           wp_verify_nonce(strip_tags(stripslashes($_GET[$nonce])), $action);\n}\n<\/code><\/pre>\n<p>Aga mis siis, kui keegi jagab andmeid, millele on saadetud <strong>POST<\/strong> &#8211; p\u00e4ring (v\u00f5rreldes <strong>GET<\/strong> &#8211; p\u00e4ringuga)? Seej\u00e4rel v\u00f5iksime funktsiooni muuta nii, et see n\u00e4eks v\u00e4lja umbes <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-02-verify-request-2-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">selline:<\/a><\/strong><\/p>\n<pre><code>&lt;?php\nprotected function verifyRequest($nonce, $action)\n{\n    return (isset($_GET[$nonce]) &amp;&amp;\n            wp_verify_nonce(strip_tags(stripslashes($_GET[$nonce])), $action)) || (isset($_POST[$nonce]) &amp;&amp;\n            wp_verify_nonce(strip_tags(stripslashes($_POST[$nonce])), $action)\n        );\n}\n<\/code><\/pre>\n<p>Ja sellest piisaks. Kuid kui me t\u00f5esti tahame, et antud funktsioon oleks v\u00f5imalikult puhas, v\u00f5iksime selle veelgi jagada.<\/p>\n<h3>4 Funktsioon igaks otstarbeks<\/h3>\n<p>Arvestades \u00fclaltoodud koodi, teame, et peame k\u00e4sitlema nii GET-i kui ka POST-i p\u00e4ringuid. PHP pakub funktsiooni <strong>filter_input<\/strong>, mis on kasulik, h\u00f5lpsamini loetav (see on subjektiivne), kuid l\u00e4bib ka mitmeid koodikvaliteedi kontrolle.<\/p>\n<p>Lisaks saame kasutada <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Factory_method_pattern\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">lihtsat tehasep\u00f5hist<\/a><\/strong> funktsiooni, et eraldada loogika j\u00e4rgmisteks funktsioonideks:<\/p>\n<p><a href=\"https:\/\/wordpress.mediadoma.com\/wp-content\/uploads\/2022\/01\/post-162230-61e73927a6ca8.png\" data-rel=\"lightbox\"><img decoding=\"async\" class=\"SDStudio-light-box-enable SDStudio-editor-tools-md-imp\" src=\"https:\/\/wordpress.mediadoma.com\/wp-content\/uploads\/2022\/01\/post-162230-61e73927a6ca8.png\" alt=\"Turvaline WordPressi vormi esitamine\" ><\/a><\/p>\n<p>Esiteks peame kirjutama kaks eraldi funktsiooni \u2013 \u00fcks <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-03-verify-post-request-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">POST-p\u00e4ringu jaoks:<\/a><\/strong><\/p>\n<pre><code>&lt;?php\nprivate function verifyPostRequest($nonce, $action)\n{\n    return\n        isset($_POST[$nonce]) &amp;&amp;\n        wp_verify_nonce(strip_tags(stripslashes(filter_input(INPUT_POST, $nonce))), $action);\n}<\/code><\/pre>\n<p>Ja \u00fcks <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-04-verify-get-request-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">GET-taotluse jaoks:<\/a><\/strong><\/p>\n<pre><code>&lt;?php\nprivate function verifyGetRequest($nonce, $action)\n{\n    return\n        isset($_GET[$nonce]) &amp;&amp;\n        wp_verify_nonce(strip_tags(stripslashes(filter_input(INPUT_GET, $nonce))), $action);\n}<\/code><\/pre>\n<p>Seej\u00e4rel saame <strong><a href=\"https:\/\/gist.github.com\/tommcfarlin\/b1eac5df600177b7beb423477ccceee6#file-05-verify-request-factory-php\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">selle algses funktsioonis kokku siduda j\u00e4rgmiselt:<\/a><\/strong><\/p>\n<pre><code>&lt;?php\nprotected function verifyRequest($nonce, $action)\n{\n    switch (strtolower($_SERVER['REQUEST_METHOD'])) {\n        case 'post':\n            return $this-&gt;verifyPostRequest($nonce, $action);\n            break;\n        case 'get':\n            return $this-&gt;verifyGetRequest($nonce, $action);\n            break;\n        default:\n            return false;\n            break;\n    }\n}<\/code><\/pre>\n<h2>Sissetulevate taotluste puhas haldamine<\/h2>\n<p>V\u00f5ib-olla tundub see keeruline viis lihtsa lahenduse k\u00e4sitlemiseks, arvestades esialgset jagatud koodikomplekti.<\/p>\n<p>See on kindlasti v\u00f5imalik, eriti kui olete ajapiirangute all v\u00f5i ei hooli nii palju asjade jagamisest v\u00f5imalikult v\u00e4ikesteks aatomiteks (v\u00f5i isegi testitavateks) komponentideks.<\/p>\n<p>Kuid kui soovite kirjutada objektorienteeritud koodi suurima t\u00e4psusega, v\u00f5ib see protsess aidata just seda.<\/p>\n<p><div id=\"PostUnique_PostSource\" style=\"padding-top: 50px\">:  <a target=\"_blank\" rel=\"noopener nofollow\" href=\"\/\/tommcfarlin.com\" class=\"external external_icon\">tommcfarlin.com<\/a><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See puudutab rohkem turvalist WordPressi vormide esitamist valikute lehelt v\u00f5i seadete lehelt, mitte mallist p\u00e4rinevat vormi.<\/p>\n","protected":false},"author":1,"featured_media":236238,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wp_rev_ctl_limit":""},"categories":[894,842,802,863],"tags":[1165],"class_list":["post-230412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kood","category-opetused","category-php-4","category-wordpress-4","tag-affiai-et"],"_links":{"self":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts\/230412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/comments?post=230412"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts\/230412\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/media\/236238"}],"wp:attachment":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/media?parent=230412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/categories?post=230412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/tags?post=230412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}