I have inherited a WordPress website that uses the RunPHP plug-in for executing snippets of PHP code in between posts. I have a feeling that this isn't the best way to implement such functionality. But since this is legacy code that has been functionally correct for a very long time, I'll need some solid examples of problem scenarios.
For those not familiar with RunPHP, it is a plug-in which executes PHP code embedded inside the Post or Page body using eval(). The code block is never received from the user, but entered into the database by the site owner / content creator.
The use case for this plug-in in our context is as follows.
A form is created as a Post, whose submit action is set to a Page (let's call it form handler). The form handler contains PHP code in its body and the RunPHP plug-in is activated for that Page. When the form gets submitted, the form handler receives the data and the PHP code in its body is executed.
This is besides some rather glaring security issues in the form handler code (dynamic user-submitted variable evaluation, no input-sanitization, no parametrized SQL queries).
Can somebody here verify my doubts about runtime code execution plug-ins in WP?
Much appreciated.
Form code in a Post -
<form action="/?p=1234" method="post">
<input name="foobar" type="text" />
<input type="submit" />
</form>
Handler code in a Page (this is stored in the database, and eval()-ed at runtime) -
<?php
$foobar = $_POST["foobar"]; // This contains a SQL-injection vulnerability; But that's a separate issue, I think
$query = "INSERT INTO table (field) VALUES (\"" . $foobar . "\")"; // Use variable in a query string
?>
Difficult to say without seeing the actual site/code, but generally eval is a potential gateway for security problems. Imagine your site has an SQL injection problem somewhere: attackers have the possibility to not only inject data but also working PHP code into your application. Eval has some (few) valid areas of use, but in general I'd avoid it. Wordpress is quite easy to extend, maybe try porting the functionality to plugins.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With