[wp-hackers] Couple of quick questions: restrict access to plugin file and loading of l10n

Andrew Ozz admin at laptoptips.ca
Fri Oct 19 17:40:42 GMT 2007

Hi, I need a bit of advice about a plugin I'm working on.

1. I've read the discussion about restricting access to a plugin's php 
file from about a month ago and agree that there's no substitute for 
properly escaping and sanitizing user input, POST and GET requests, 
using wp_nonce, etc. But good security is build in layers, so I'm 
thinking to restrict the loading of the plugin's main php file like that:

if( strpos($_SERVER['REQUEST_URI'], 'my-plugin.php') !== false &&
     strpos($_SERVER['REQUEST_URI'], 'wp-admin') === false )
     exit('some error message');

(load my-plugin.php only if it's requested by a script from wp-admin 

Or even the more restrictive:

if ( strpos($_SERVER['REQUEST_URI'], 'my-plugin.php') !== false &&
     ! ('options-general.php' == basename($_SERVER['SCRIPT_FILENAME']) ||
     'plugins.php' == basename($_SERVER['SCRIPT_FILENAME']) ||
     'wp-login.php' == basename($_SERVER['SCRIPT_FILENAME'])) )
     exit('some error message');

(load my-plugin.php only if it's requested by options-general, wp-login 
or plugins.php).

Does anyone see any problems with using these? I've tested both on my 
LAMP server and all seems to work fine in WordPress 2.2 and 2.3.

2. I'm providing .pot file for easy translation and (of course) using 
load_plugin_textdomain to load the translations.

How "late" can I call it? I see some plugins use the "init" or 
"plugins_loaded" hooks but that would load the translation on every run 
- another 25-30KB - whether it's needed or not.

I've tried loading it at the beginning of the plugin's options page and 
it works well on the test server, but was wondering if that's not "too 
late". Does anyone have experience with this?

Thanks a lot,

More information about the wp-hackers mailing list