$wpdb

check_admin_referer() checks that the referer field is from within the wp-admin folder structure. If your form is from the plugins folder, that is why it’s failing. If your form is from wp-admin, then it’s possibly just some silly syntax error.

Limiting text length is good for limiting possible code injection, but no need to be too stingy on length. 30 chars for an url might be a little tight. Most importantly for urls is to reject characters that are illegal for urls, I’m not sure what they are though. Hard to restrict characters for arbitrary names though, but you might consider restricting characters that have special meaning in mySQL.

Each field will have different requirements, you sort of have to think like a hacker to know how to sanitize input. Hard to do if you’re not a hacker. Maybe research how SQL injection attacks are done?

The learning never ends, eh?
-bc

Anytime a link requests a php file, it initiates a new process, which requires loading the WP environment. For example, examine the core files linked in the admin panel menu. Every one of them includes either wp-admin.php or wp-load.php, depending on the situation. If you do not do this, you cannot access any hooks and functions.

I can only think of two ways around this, but both end up loading the environment in the background so you don’t have to explicitly do it, but it still happens all the same. One is to link to an existing core file that accepts url parameters such as “action” which also provide hooks so you can handle custom actions. I can’t offer up an example, but they probably exist. Then the core file requires wp-admin.php instead of you. I don’t see the real difference.

The other way you don’t need to require wp-admin.php is to do an AJAX request. Again, the requiring of the wp-admin.php is done for you in the background by the AJAX post object. You simply hook the proper AJAX action. Once again, whether you load the environment or the AJAX post object does, it must happen, I don’t see the real difference.

Now if you were to simply include files unequivocally, I could see the objection. But require_once() sees to it the files are only loaded because they have not been loaded yet. If they are not loaded, there are no functions to call and no filters and actions to hook.

I hope this helps you understand this issue.
– bc

BTW, if you decide to continue requiring wp-admin.php for your plugin which would be distributed, you should get the proper path to it through some function instead of the relative ../../../ just in case someone has some funky folder structure. See the core files linked in the admin panel for some examples.

Honestly, you should politely thank your reviewers for their input but you are going to continue to use the current method of loading the WP environment. Because your data is separate from WP, but you need to use WP functions, and there are no filters or actions that meet your needs, you have no alternative but to load the environment this way.

This is incorrect. There is never a correct case where a *plugin* should be doing any form of include with a “../..” sort of thing to load WordPress files.

Specifically, WordPress supports redefining the location of the wp-content folder, so you cannot be sure that ../../../whatever refers back to the main folder of the WordPress installation. Having the wp-content folder completely outside the WordPress core install is a supported case, and plugins need to support that case properly.

We do not allow plugins that do this sort of thing in the directory any longer. Some older plugins may still be doing it wrong, but one step at a time.

If you need to make direct HTTP calls to your plugin to get data, then using the admin-ajax.php file and the various AJAX hooks (as explained in AJAX in Plugins) will give you the ability to have WordPress load, load your plugin, and then let your plugin produce output. This gives a constant and correct URL by which you can access the system and have it load your plugin to produce whatever output you like (not necessarily just javascript oriented return data).

If you’re doing some kind of admin settings screen as this thread seems to be describing, then using the Settings API or simply registering your screen to make calls back to options.php is a better case. You don’t need PHP files that you call directly to perform WordPress related actions. WordPress loads plugins, not the other way around.

The site_url() function gives you a URL. It doesn’t make any sense to include a URL.

And yes, including wp-load.php is always a bad idea, because, again, you have no valid way to retrieve the directory path (not the URL path) of the location of the wp-load.php file in order to include it.

If you need to make an HTTP request to your plugin from the browser, then you should be making an HTTP request to WordPress, and passing parameters along that your plugin can recognize, and then having the plugin take appropriate action based on that. Considering that this is precisely what the admin-ajax.php method does, that’s probably the way to go.

I have more information to share regarding the problem of accessing WordPress functions from external files. Otto sagely suggests using AJAX. Such a solution is almost always possible, though not always desirable. As it happens, there is a similar technique to the AJAX approach, except no javascript or jQuery is required, your request handler can be initiated from a simple HTML link or form action. It is suitable for any GET or POST request. The handler can include another PHP file and in the process enable access to WP functions on that file.

See Plugin_API/Action_Reference/admin_post_(action).

Better late than never 🙂