[wp-hackers] AJAX in plugins and public pages

Heiko Rabe heiko.rabe at code-styling.de
Sun Feb 22 14:32:48 GMT 2009 

I don't agree with this easy going solution.
First of all, this is a HTTP GET call but in most cases you will need 
HTTP POST calls to transfer a lot more data as possible by params of GET 
url.
Second, there may be a need to remove the hook of an other plugin to 
pre-filter the ajax call. So i would remove the other plugins hook, 
replace it with my own
and during my pre-processing a call the original plugin hook to allow 
this plugin go forward as intented.
Your solution doesn't allow pre-processing other hooks.
The next point is, that it would be possible to limit public ajax calls 
to logged in user if this will be handled in a standard way.
The backend could be extended with new option to configure how public 
ajax calls are permitted.

It's much easier to implement it in this way, if core would support it:

add_action('wp_public_post_ajax-myfunction', 
'my_public_post_ajax_function');
add_action('wp_public_get_ajax-myfunction', 'my_public_post_ajax_function');

This would increase readability and can ensure that core files can empty 
not needed GET or POST values prior to call the hook.
It would also allow to bypass at core file level several not needed file 
loads and indicates, that this is a real ajax call instead of spam bot 
initiated index.php flood.
As can be detected during processing admin ajax by testing DOING_AJAX 
constant, this would also allow other plugins to skip loading a lot of 
files, because things
like backend pages are not required if ajax calls are being processed.

This will increase the speed of processing public ajax calls a lot, if 
it will be handled in a standard specified way.

regards

Heiko Rabe
(www.code-styling.de)

>
> Why not just hook into the init action? The following will give you a 
> simple ajax response
>
> function my_function(){
>     @header('Content-Type: text/html; charset=' . 
> get_option('blog_charset'));
>
>     $s = sanitize_title( $_GET['my_variable'] );
>     echo $s;
>
>     die; // be sure to die when done
> }
>
> if ( isset( $_GET['my_variable'] ) )
>     add_action( 'init', 'my_function' );
>
>
> --Casey
>
> http://maisonbisson.com/
> http://about.scriblio.net/
>
> On Feb 21, 2009, at 9:35 PM, Dan Coulter wrote:
>
>> Am I right in thinking that there's no equivalent of admin-ajax.php 
>> for use
>> in public pages?  I know some people don't like to make the plugins 
>> folder
>> world viewable, but I can't protect against that on public pages like on
>> admin pages.  If there's a reason this, that's fine, but if no one 
>> knows a
>> particular reason it's missing, I could put together a quick patch 
>> based on
>> the existing file.
>>
>> -- 
>> Dan Coulter
>> http://dancoulter.com/
>> http://phpflickr.com/
>> http://blogsforbands.com/
>>
>> Hey, I got nothing to do today but smile
>> -Simon and Garfunkel
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list