Embedding PHP in Content

Posted on May 27, 2016 by

Would you like to embed and run some PHP code in a blog post? Need to include a PHP file in a sidebar widget? Recently discovered this curious plugin? Don’t, you’re about to make an awful mistake. Lets walk through why it’s bad, and what you should be doing instead.

Why Might Somebody Embed PHP?

Perhaps you have a pricing page, and would like to insert a flashy table with custom styling? Or perhaps you want to put a carousel on a homepage? To those new to WordPress development, a PHP shortcode would let them do this, by copy pasting the carousel PHP code into their editor. But this is dangerous.

Sometimes, people do this to try and modify the page in the browser after it’s been sent, but that doesn’t work, which is why we have javascript and AJAX to ask the server for more information at a later date, triggering more PHP.

So What Could Happen?

Lots of things. Code that evaluates or runs PHP from content is wildly dangerous, and the single worst thing you can do for security. It can also have performance and maintenance problems, e.g. a content editor copy pasting PHP code with fatal errors can bring down your entire site.

With these kinds of widgets and short codes, anybody who can create content can run any code they want directly on your server. That includes post authors, anybody able to use short codes or widgets. If your theme displays short codes in comments, that could include anybody on the internet.

What can they do? Hackers usually install a PHP shell file to receive commands, but in this case they can copy paste it into a new blog post. Even a preview of a draft post will do. Or if they’re malicious, they can erase your website.

Imagine this shortcode on your homepage:

[php]exec( "rm -rf /*");[/php]

Congratulations, you’ve just erased your entire server. Allowing PHP to be written inside content is incredibly dangerous, and a massive security hole. Most hosts will demand you remove it, and it makes your site much easier to hack.

Then How Do I Do Things?

With Shortcodes! Developers realised a long time ago that they might want to embed a video, a poll, interactive content, or just show a fancy box. You’re not meant to put code inside content, so they invented placeholders. Sometimes they’re called macros, sometimes they’re called tags, WordPress calls them shortcodes, and they work like this:

Step 1: Tell WordPress your short codes name, and a function with your PHP code:

add_shortcode( 'bigredbox', 'bigredbox_function' );

Step 2: Tell WordPress what to do when it sees the short code:

function bigredbox_function() {
    return '<div class="bigredbox">This is a red box</div>';
}

Step 3: Use the short code in your content:

Below is a big red box:

[bigredbox]

WordPress will see “[bigredbox]” and ask bigredbox_function what to replace it with.

If you’re trying to embed a 3rd party service, copy paste the URL of what you’re trying to embed on a new line by itself, and OEmbed will take care of the rest.

What about Widgets?

Imagine widgets as short codes that can be dragged and dropped, and appear in multiple places. Perhaps one of those places is inside a short code! Widget areas are named sidebars in WordPress, and they can also power home pages and footers.

One particularly useful widget is the text area widget, which lets you place some limited HTML markup inside. Text area widgets don’t normally support short codes, but they can with a small piece of code:

add_filter( 'widget_text', 'shortcode_unautop');
add_filter( 'widget_text', 'do_shortcode');

Now you can use short codes inside text areas. If you want to use short codes somewhere else, you can use the do_shortcode function. Pass any content into it to enable short codes like this:

echo do_shortcodes( $my_custom_field );

There are many ways to use short codes, and many alternatives, such as post formats or page templates.

Final Notes

Remember:

  • Code and content should never mix
  • When they do, your sites security is worthless
  • It can be easy to break your site or cause damage
  • Hosts can get angry if they find you doing this
  • Short codes can be used to put things inside content
  • With 2 lines of code, you can use short codes inside text area widgets
  • Use the do_shortcode function for everywhere else
  • PHP runs on the webhost/server, not the users browser, once its sent, it’s sent. To do more PHP after that, we use javascript + AJAX

1 thought on “Embedding PHP in Content

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.