Archive for the ‘Web Apps’ Category

« Older Entries

WordPress Email Exposure

Tuesday, November 3rd, 2009
Posted in Web Apps · Tags: ,

I’ve noticed WordPress’s blog by email feature has the possibility of allowing anyone to see other email addresses. This feature can be turned on in the Admin in Settings->Writings and then Post via e-mail. Let’s say you set that email address as wordpressposts@example.com, that address will stay hidden. However anyone that emails that address will can have their address exposed on your blog by going to http://example.com/wp-mail.php (assuming that’s where you have WordPress installed at http://example.com). Chances are most people will have this set to a cron job and have it check it every so often, but it might be possible for others to request the page beforehand. And when you do go to that page, it shows something like this:

Author is myworkaddress@example.net

Author: 1

Posted title: Some Blog Post Title

Mission complete. Message 1 deleted.

Thus, if you are using your a email address you’d like to keep private and you are emailing wordpressposts@example.com, that email address has the possibility of showing up to people. Which is not good if you email from the same email address that checks the posts. And even worse if you email from a email address for a user in WordPress and has the rights to post contents because the email will get “publish” status rather than “pending” and will go live on the site. And if someone has the email address that is a user and has posting rights, they can easily send fake emails from that address, because all WordPress checks is the From or Reply-To line (whichever it finds first).

It’s easy to prevent it from showing email addresses by opening up wp-mail.php and looking for this line of code

echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';

And this line of code

echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), esc_html($post_author)) . '</p>';

And then you could comment those lines out by putting // in front of both of them.

I understand WordPress outputs this information so you can see logged from any cron jobs you have setup or if you visit the page manually, as a way of just knowing whats going on. However, it could be done better to prevent the addresses from being shown to everyone. A simple solution is to setup a query string and have a secretkey (don’t make this your blog’s password however). For example, lets say your blog is installed at http://example.com/, we are going to know require the following URL to check Posts via e-mail http://example.com/wp-mail.php?secretkey=abc123. And if someone doesn’t send the right secretkey, it won’t check the email address or echo anything out.

So before this line of code

/** Make sure that the WordPress bootstrap has run before continuing. */

Let’s add

if ($_GET['secretkey'] != 'abc123')
exit();

Feel free to change the secretkey to whatever you wish. You can also change it to be called something other than secretkey. If you have a cron job, you’ll have to point to that new URL as well http://example.com/wp-mail.php?secretkey=abc123. If you use the secretkey method you can leave the lines where it echoes out the email address if you like (the 2 lines I showed you could comment out).

Leave a Comment »

phpBB 3.x RSS Hack

Monday, February 2nd, 2009
Posted in Web Apps · Tags: , ,

Where I work we use phpBB and I was surprised to see version 3 didn’t have built in RSS support. I found a mod, but it contained several files and required modifying several more files. I put together a hack that will pull the latest posts that are approved and non-reported; However, it will keep them unique to a topic. So if the last 5 posts are for a topic called “That is awesome”, it will only show a link to the last post on that topic and will look for the other latest posts from other topics.

It’s configurable with a item_limit (number of posts to pull) and word_limit (how long the description is). However the description is just the title for the last post, so it will most often be “RE: original post title” unless the user changes it when posting. I could of done another query in a loop to the table phpbb_posts and pulled out the corresponding post_text, but didn’t want to have the overhead. Although you could easily modify that in and cache the file for say 5 or 15 minutes. Think of this as a head start to get the feeds from your forum for whatever you plan to do with them. ;)

(more…)

Comments Off

A More Useful WordPress 404

Sunday, November 23rd, 2008
Posted in Web Apps · Tags:

Recently A List Apart had an article by Dean Frickey titled A More Useful 404. It was a good article about making a more useful 404 page that attempts to figure out what went wrong and it will email you some information. I modified the code from Perl to PHP for WordPress and figured I’d save people time from building it themselves by posting it here. Feel free to edit what you need to. The code goes inside your 404.php template.


<?php
//based on http://www.alistapart.com/articles/amoreuseful404
//just to break any email addresses or spam that might get spoofed in falsed headers, might just use a regex later
$disallowed_strings = array('@', '\t', '\r', '\n', '\v', '\f', '<', '>');
$clean_server_name = preg_replace('/[^a-zA-Z0-9\-\.]/', '', $_SERVER['SERVER_NAME']);
$clean_http_referer = str_ireplace($disallowed_strings, '', $_SERVER['HTTP_REFERER']);
$clean_request_uri = str_ireplace($disallowed_strings, '', $_SERVER['REQUEST_URI']);
$search_engine_domains = array('google.com', 'images.google.com', 'translate.google.com', 'yahoo.com', 'ask.com', 'live.com', 'aol.com', 'search.msn.com');//add more if you want
$search_message = '<p>You may want to try searching this site or using our <a href="' . get_bloginfo('url') . '/sitemap/">sitemap</a> to find what you were looking for.</p>';//if you have a sitemap
?>
<p>Sorry, but the page you were trying to get to <!--http:// ,--> does not exist.</p>
<?php
if ($_SERVER['HTTP_REFERER'] == '')
{
?>
<p>It looks like this was the result of either</p>
<ul>
<li>a mistyped address</li>
<li>or an out-of-date bookmark in your web browser.</li>
</ul>
<?php
echo $search_message;
}
else
{
//make it easier to search referer
$disallowed_url_strings = array('http://', 'https://', 'www.');//filter out https:// anyway
$referer = str_ireplace($disallowed_url_strings, '', $_SERVER['HTTP_REFERER']);
$referer_array = explode('/', $referer);
$referer = $referer_array[0];
$myblog_url = get_bloginfo('url');
$myblog_url = str_ireplace($disallowed_url_strings, '', $myblog_url);
$myblog_url_array = explode('/', $myblog_url);
$myblog_url = $myblog_url_array[0];
if ($referer == $myblog_url)
{
?>
<p>Apparently, we have a broken link on our page. An e-mail has just been sent to the person who can fix this and it should be corrected shortly. No further action is required on your part.</p>
<?php
$email_subject = 'Broken link on my site, ' . $clean_server_name;
$email_message = 'BROKEN LINK ON MY SITE' . "\r\n\r\n" . 'There appears to be a broken link on my page, ' . $clean_http_referer . " \r\n\r\n" . ' Someone was trying to get to ' . $clean_request_uri . ' from that page.';
$email_message .= "\r\n\r\n" . 'Why don\'t you take a look at it and see what\'s wrong?';
mail(get_bloginfo('admin_email'), $email_subject, $email_message, 'FROM: 404@example.com');
}
else
{
//see if it was a search engine
$domains_matched = 0;
$total_domains = count($search_engine_domains);
for ($x = 0; $x < $total_domains; $x++)
{
if ($referer == $search_engine_domains[$x])
$domains_matched++;
}
if ($domains_matched != 0)
{
?>
<p>It looks like the search engine has returned a link to an old page. These old links should eventually be removed from their indexes but since these are automatically generated there is no one to contact to try to correct the problem.</p>
<?php
echo $search_message;
}
else
{
?>
<p>Apparently, there is a broken link on the page you just came from. We have been notified and will attempt to contact the owner of that page and let them know about it.</p>
<?php
echo $search_message;
$email_subject = 'Broken link on somebody else\'s site.';
$email_message = 'BROKEN LINK ON SOMEBODY ELSE\'S SITE' . "\r\n\r\n" . 'There appears to be a broken link on the page, ' . $clean_http_referer . " \r\n\r\n" . ' Someone was trying to get to ' . $clean_request_uri . ' from that page.';
$email_message .= "\r\n\r\n" . 'Why don\'t you take a look at it and see if you can contact the page owner and let them know about it?';
mail(get_bloginfo('admin_email'), $email_subject, $email_message, 'FROM: 404@example.com');
}
}
}
?>

Leave a Comment »

WordPress Recent Comments Hack

Wednesday, August 27th, 2008
Posted in Web Apps · Tags: ,

I wanted to get the most recent comments in WordPress without having to use the widgets or any plugins. When you use any of the widgets it will override the sidebar.php (although you could put what you needed in a else bracket inside sidebar.php, but I figured I’d put this hack together anyway).

This hack would go in your sidebar.php

$comment_array = $wpdb->get_results("SELECT comment_date_gmt, comment_author, comment_ID, comment_post_ID FROM $wpdb->comments WHERE comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 10");
$comment_total = count($comment_array);
echo '<ul>';
for ($x = 0; $x < $comment_total; $x++)
{
echo '<li>';
echo $comment_array[$x]->comment_author . ' on ';
echo '<a href="'. get_permalink($comment_array[$x]->comment_post_ID) . '#comment-' . $comment_array[$x]->comment_ID . '">';
echo get_the_title($comment_array[$x]->comment_post_ID);
echo '</a>';
echo '</li>';
}
echo '</ul>'

1 Comment »

A Customizable Tag Cloud For WordPress

Tuesday, August 26th, 2008
Posted in Web Apps · Tags: ,

If you’ve tried using wp_tag_cloud() as an array, you’ve noticed that all it really does is give you a string, which isn’t useful. The only way I could figure out how to get the tags to where I can format them how I want was to call get_tags() in wp-includes/category.php. You can also pass arguments to it to sort it differently. Take a look at get_terms() in wp-includes/taxonomy.php to get an idea of what you can do.

Here is a hack I put together that will output your tags as a unordered list (UL) with the total number of times the tag is used in parenthesis. You can place this code in sidebar.php

$tag_array = get_tags('orderby=count&order=DESC&number=15');
$tag_total = count($tag_array);
echo '<ul>';
for ($x = 0; $x < $tag_total; $x++)
{
echo '<li>';
echo '<a href="' . get_option('home') . '/tag/' . $tag_array[$x]->slug . '/" rel="tag">';
echo $tag_array[$x]->name;
echo '</a>';
echo ' (' . $tag_array[$x]->count . ') ';
echo '</li>';
}
echo '</ul>';

1 Comment »

« Older Entries