Executable PHP Code in WordPress Posts
There are situations when it is very convenient to use the full potential of the PHP programming language in the text when writing articles. For example, when you need to do something unique on a separate page directly in the post content and write PHP code directly in the editor.
For security reasons, it is not recommended to use this method. It is better:
- To use shortcodes instead.
- Or use this plugin: https://wordpress.org/plugins/insert-php-code-snippet/
Anyone who has tried to write any php code in a post in the hope that it will work, knows that WordPress perceives such code as simple text. However, sometimes it is convenient to run, for example, some kind of loop output directly in the text when writing an article, because the content of such an article will be updated dynamically. Another example might be the ability to call ready-made functions in a post, if necessary, or to insert some php file in the text of the post through the php require() function:
require 'my_script.php';
In general, imagination is limitless here, and the truth is that the inability to use PHP in the article text in some cases can become a real problem. Once, I encountered such a problem and solved it by taking and slightly modifying the code from a certain plugin (I can't remember the name now).
So, in order to implement the ability to insert executable PHP scripts in the text of an article/post or a static page, you need to add the following code to the already familiar to us theme file functions.php:
## Executable PHP code in WordPress post content. ## [exec]PHP_code[/exec] ## ## @version: 1.0 if( 'Executable PHP code in post content' ){ add_filter( 'the_content', 'content_exec_php', 0 ); function content_exec_php( $content ){ return preg_replace_callback( '/\[exec( off)?\](.+?)\[\/exec\]/s', '_content_exec_php', $content ); } function _content_exec_php( $matches ){ if( ' off' === $matches[1] ){ return "\n\n<".'pre>'. htmlspecialchars( $matches[2] ) .'</pre'.">\n\n"; } else { eval( "ob_start(); {$matches[2]}; \$exec_php_out = ob_get_clean();" ); return $exec_php_out; } } }
After the code is added, it will be possible to use the following construction in the articles:
[exec]php code[/exec]
For example:
[exec] // Comment global $wp_version; echo "Current WP version: $wp_version"; [/exec]
To disable code execution, you can use the following construction. It will just output the code as if we inserted php code as text.
[exec off]php code[/exec]
Important note about security
It is important to remember that anyone can use this feature, and this is a huge security hole, because if someone has access to writing articles, they can easily do whatever they want with the site.
To protect yourself from the possible harmful consequences of this hack, you can implement the following simple protection (the trick that immediately came to my mind): to enable the execution of the [exec]php code[/exec]
construct only if, for example, the post has some arbitrary field or, let's say, the post is written at 00 minutes. Naturally, only you will know this trick under which the code will be executed and accordingly only you will have the opportunity to insert php code into the article.