Developing a secure front end posting form

Hopefully the code will be sufficient to describe the key points, but please do comment if you have any further questions:

<?php

class WPSE_Submit_From_Front {
    const NONCE_VALUE = 'front_end_new_post';
    const NONCE_FIELD = 'fenp_nonce';

    protected $pluginPath;
    protected $pluginUrl;
    protected $errors = array();
    protected $data = array();

    function __construct() {
        $this->pluginPath = plugin_dir_path( __file__ );
        $this->pluginUrl  = plugins_url( '', __file__ );

        add_action( 'wp_enqueue_scripts', array( $this, 'addStyles' ) );
        add_shortcode( 'post_from_front', array( $this, 'shortcode' ) );

        // Listen for the form submit & process before headers output
        add_action( 'template_redirect',  array( $this, 'handleForm' ) );
    }

    function addStyles() {
        wp_enqueue_style( 'submitform-style', "$this->pluginUrl/submitfromfront.css" );
    }

    /**
     * Shortcodes should return data, NOT echo it.
     *
     * @return string
     */
    function shortcode() {
        if ( ! current_user_can( 'publish_posts' ) )
            return sprintf( '<p>Please <a href="https://wordpress.stackexchange.com/questions/210648/%s">login</a> to post links.</p>', esc_url( wp_login_url(  get_permalink() ) ) );
        elseif ( $this->isFormSuccess() )
            return '<p class="success">Nice one, post created.</p>';
        else
            return $this->getForm();
    }

    /**
     * Process the form and redirect if sucessful.
     */
    function handleForm() {
        if ( ! $this->isFormSubmitted() )
            return false;

        // http://php.net/manual/en/function.filter-input-array.php
        $data = filter_input_array( INPUT_POST, array(
            'postTitle'   => FILTER_DEFAULT,
            'location2'   => FILTER_DEFAULT,
            'postContent' => FILTER_DEFAULT,
        ));

        $data = wp_unslash( $data );
        $data = array_map( 'trim', $data );

        // You might also want to more aggressively sanitize these fields
        // By default WordPress will handle it pretty well, based on the current user's "unfiltered_html" capability

        $data['postTitle']   = sanitize_text_field( $data['postTitle'] );
        $data['location2']   = sanitize_text_field( $data['location2'] );
        $data['postContent'] = wp_check_invalid_utf8( $data['postContent'] );

        $this->data = $data;

        if ( ! $this->isNonceValid() )
            $this->errors[] = 'Security check failed, please try again.';

        if ( ! $data['postTitle'] )
            $this->errors[] = 'Please enter a title.';

        if ( ! $data['postContent'] )
            $this->errors[] = 'Please enter the content.';

        if ( ! $this->errors ) {
            $post_id = wp_insert_post( array(
                'post_title'   => $data['postTitle'],
                'post_content' => $data['postContent'],
                'post_status'  => 'publish',
            ));

            if ( $post_id ) {
                add_post_meta( $post_id, 'location2', $data['location2'] );

                // Redirect to avoid duplicate form submissions
                wp_redirect( add_query_arg( 'success', 'true' ) );
                exit;

            } else {
                $this->errors[] = 'Whoops, please try again.';
            }
        }
    }

    /**
     * Use output buffering to *return* the form HTML, not echo it.
     *
     * @return string
     */
    function getForm() {
        ob_start();
        ?>

<div id ="frontpostform">
    <?php foreach ( $this->errors as $error ) : ?>

        <p class="error"><?php echo $error ?></p>

    <?php endforeach ?>

    <form id="formpost" method="post">
        <fieldset>
            <label for="postTitle">Post Title</label>
            <input type="text" name="postTitle" id="postTitle" value="<?php

                // "Sticky" field, will keep value from last POST if there were errors
                if ( isset( $this->data['postTitle'] ) )
                    echo esc_attr( $this->data['postTitle'] );

            ?>" />
        </fieldset>

        <fieldset>
            <label for="postContent">Content</label>
            <textarea name="postContent" id="postContent" rows="10" cols="35" ><?php

                if ( isset( $this->data['postContent'] ) )
                    echo esc_textarea( $this->data['postContent'] );

            ?></textarea>
        </fieldset>

        <fieldset>
            <button type="submit" name="submitForm" >Create Post</button>
        </fieldset>

        <?php wp_nonce_field( self::NONCE_VALUE , self::NONCE_FIELD ) ?>
    </form>
</div>

        <?php
        return ob_get_clean();
    }

    /**
     * Has the form been submitted?
     *
     * @return bool
     */
    function isFormSubmitted() {
        return isset( $_POST['submitForm'] );
    }

    /**
     * Has the form been successfully processed?
     *
     * @return bool
     */
    function isFormSuccess() {
        return filter_input( INPUT_GET, 'success' ) === 'true';
    }

    /**
     * Is the nonce field valid?
     *
     * @return bool
     */
    function isNonceValid() {
        return isset( $_POST[ self::NONCE_FIELD ] ) && wp_verify_nonce( $_POST[ self::NONCE_FIELD ], self::NONCE_VALUE );
    }
}

new WPSE_Submit_From_Front;

Related Posts:

  1. Developing a secure front end post editing form
  2. Front-End Post Submission
  3. How to upload post thumbnail while wp_insert_post?
  4. Publish pending article from front end with a button?
  5. Get names of authors who have edited a post
  6. Edit a post from frontend. post_tags get saved, but not separated
  7. How can I edit a post from the frontend?
  8. Post from front-end only by logged in users, form posts as “posted by:
  9. upload featured image from front end using wordpress add media button
  10. Post & edit a post from front end along with upload, dropdown, and other inputs
  11. Disable REST API for a user ROLE
  12. Embed WordPress Admin in an iframe
  13. Frontend Post Excerpt field mapping
  14. Frontend Post Form Validation
  15. The ‘https_local_ssl_verify’ filter
  16. Redirection not working in this front end post submission form?
  17. How to change the color theme per post?
  18. Adding an image to a non existing post
  19. How to make a bilingual front-end post using the plugin WP User Frontend and Polylang or qTranslate?
  20. Change Post Status From Front End
  21. 404 error on default post type and default taxonomy fronted page
  22. Security to delete post by Admin
  23. Lock post editing to one user at a time – wp_check_post_lock
  24. Front end post submission form with duplicate type fields
  25. Replace image name on upload to the new post name on front-end form
  26. Edit the post title from the frontend
  27. Can i have more than one form for front end posting in one template [closed]
  28. Get Users Post ID
  29. How do I allow certain users to make a certain type of post?
  30. WordPress wp_editor to post and edit
  31. Allowing Users to Register Themselves and Post : Does WordPerss Handle these Problems?
  32. How to limit post (Exception pages) for current user in each role in front end?
  33. Create posts by any logged in users
  34. How to generate an HTML link automatically from URL in a users’ post
  35. how let users select categories for posts in frontend?
  36. Allow reader to reorder posts for themselves (oldest first)
  37. Send the post id to a front end edit post form
  38. Post/Edit/Delete Post From Frontend… How?
  39. Send/Publish a Post front end
  40. How Can I Limit Users to Post Creation For My Frontend Theme?
  41. User driven content problems
  42. Create post from form with image
  43. Stop Authors from submitting spam post
  44. Change Posts per page count
  45. Can I force a metabox to be in one column?
  46. Search by Hyphen
  47. Post publish only hook?
  48. Restrict access to post if it is currently being edited
  49. Trying to put an array into ‘post__in’ => array() query not working
  50. Display custom post types by date field
  51. Does WordPress remove draft status automatically?
  52. Future_to_publish into postmeta
  53. How do I allow users to follow a post and then allow admins to email all users who have followed that post?
  54. Is there any WordPress alternative to Book module of Drupal?
  55. Post Navigation
  56. How to start with post number x?
  57. Posts page only shows one post
  58. How do I detect which page I’m on within a paginated post?
  59. how can I add data to posts that can be retrieved by WP Rest API
  60. wp_get_object_terms returns only Uncategorized on first publish
  61. Pausing and Resuming WP_Query results
  62. Can’t get buddypress notifications in front-end; why do I get this error?
  63. Getting Custom Post Loop to display in Bootstrap 3 column grid
  64. Sharing post from archive page (loop) doesn’t work
  65. Show only posts with images and a fixed amount of posts
  66. date issue with category post retrival
  67. How to get date of post when using wp_get_recent_posts()?
  68. how can i change WP main archives loop to sort by name or title
  69. Conditionals if tags exist?
  70. Showing categories and subcategories with posts
  71. Change default category when I publish a post
  72. Append ‘Continue Reading’ link if post length is more than 3 lines of text?
  73. Can’t get full post title if there a spaces in title
  74. Site URL is not redirecting correctly
  75. How to display multiple images from the post on the homepage
  76. Unable to differentiate between two categories under custom post type on single.php
  77. WP_Query of Category Not Showing First Post
  78. content summary of a post disappears If an images added at the beginning of the post. how to solve it?
  79. How To Use Custom Fields With .mp3 Links
  80. Select another post in a post meta like a parent page is selected while editing a page
  81. How to view a post from the wordpress admin screen
  82. Update all posts – 25 000 posts in total
  83. a WordPress connected to 2 database
  84. Blog images not showing on homepage
  85. REST API Working for GET but not for POST?
  86. Manual Scheduler For Custom Post Type
  87. Embed button for post screen
  88. Alternating Post Styles on Homepage
  89. Show a Category Specific Info Box
  90. Inserting image into post content – Front End
  91. Display the first post’s comments of category in comments.php template
  92. Insert link to my thumbnail images
  93. Commenting on a post from the admin panel?
  94. Showing Unpublished Posts to Logged-out Users?
  95. How do I add /blog/ on my permalink without affecting the portfolio project types permalink?
  96. Need All the posts with id, title and date [closed]
  97. List posts related to category on a div [closed]
  98. Ajax calls in wordpress
  99. How to get only post=’product’
  100. unable to select “fullwidth” on the POST (not page)

Leave a Comment

techhipbettruvabetnorabahisbahis forumuedusedusedueduseduseduedueduseduedu