[wp-hackers] Admin notices

Ryan McCue lists at rotorised.com
Mon Apr 11 12:51:58 UTC 2011

Andrew Nacin wrote:
> I would strongly recommend you avoid create_function() at all costs. It
> poses a pretty serious security risk when used improperly.

Indeed, ditto for anything using exec()  (though, that doesn't stop
people using exec plugins. :) )

> I would also recommend (in general) you avoid closures. I use them in
> testing all the time -- add_action( 'init', function() { ... } ); -- but in
> a public plugin, it's not playing very nice with others, as the callback
> can't easily be removed.

I disagree. Assign it to a (public) variable, and then anyone can remove it:

    class MyAwesomePlugin {
        public static $callbacks = array();
        public function add_message($msg) {
            $func = function () use ($msg) { echo $msg; }
            self::$callbacks[] = $func;
            add_action('admin_notices', $func);

Then another plugin can simply do:

    if (class_exists('MyAwesomePlugin')) {
        foreach (MyAwesomePlugin::$callbacks as $callback) {
            remove_action('admin_notices', $callback);

Note: It's important that the callbacks property be static, unless you
want people checking global variables, and then it gets messy.

Ryan McCue

More information about the wp-hackers mailing list