friendly urls, no .php ending

[szepe.viktor]

Dear Stefano!

Please consider the WP-way add_rewrite_rule() etc. instead of
/wp-content/plugins/newsletter/do/subscribe.php
calling direct php files.

It could be e.g. /newsletter/subcribe/ given /newsletter/ is not a pre-existing page.

Thank you!

[Stefano]

Uhm, but that rule with the add_tag are not to customize the wp_query object? I don’t know if wordpress has a something to register an address that fire an hook… I already checked that in the past without success…

[szepe.viktor]

The rewritten URLs would be only for the user. These URLs won’t trigger anything.
This short Codex page is about handling POST requests:
http://codex.wordpress.org/Plugin_API/Action_Reference/admin_post_%28action%29
So the forms’ action are always wp-admin/admin-post.php

As far as I am concerned in PHP security, it is pretty dangerous “to open up” own php files for user interaction.
All plugin files should begin with

if (false === defined('ABSPATH')) {
    die();
}

or similar.
I hope that helps making your plugin(s) better.
Do you need a demo plugin that does POST-ing from a nice URL?

[Stefano]

Hi, any example would be useful, but I must deal with get as well. The activation from an email cannot be a post.

I’ve taken a look right now to admin post, seeing the “nopriv” is managed for call without a logged in user. It’s a good thing and it seems to manage the GET as well (or better there is no filters).

So yes, that page should be used instead of a custom one (even if the custom one is lighter because it does not load all administrative API which is not useful in my case).

The real important advantage is that I can solve the problems with users with file permission problems.

Thank you!

[szepe.viktor]

As for the GETs:

http://www.website.net/newsletter/unsubscribe?n=TOKENBASE64
http://www.website.net/newsletter/clicktrack?n=TOKENSTRING
The URL path has the static part: the action,
the GET contains the dynamic part: the user’s token.

Please consider using a real (secret) token instead of base64 encoded actual data.

Let’s see: http://wordpress.stackexchange.com/questions/138610/how-to-handle-post-reqests-the-wordpress-way-without-including-admin-api

[Stefano]

Hi, maybe I’m missing something: how can I merge the custom url with the admin-post.php call?

They seems two distinct approaches. I’ve already asked on forums if WordPress has a way to register “service URLs”, but I haven’t got answers.

[szepe.viktor]

Sorry! Those (the nice URL approach and the admin-post.php call) were mixed in my head.

[Stefano]

Don’t worry. The admin-post.php seems the better solution:
– it’s a standard
– the page is always there
– it is almost surely executable (no permission problem like in plugins folder)
– it activates WordPress in the right way

The only problem… it loads the server more than need for the subscription… and using it for link tracking could be a problem, actually.

[szepe.viktor]

You can see here all WP files that reference wp-load:

[szepe.viktor]

http://wordpress.online1.hu/wp-load.php.xref.html

[szepe.viktor]

(click on the link 3 times )

[Stefano]

Three times?

[szepe.viktor]

Click on the link above then on the anchor text “3 times”

[Stefano]

Ok, sorry, I already know about those files, but no one seems actually made to create services. So on my plugin I use the include wp-load.php, even if they all say it’s not good. I wonder why it’s not good while WordPress does it exactly in wp-comments-post.php to manage the post of a comment from the frontend.

🙂

[Author]

Posts