1: Overuse of the options table:
get_option() and set_option() are wonderfully useful features, if used in moderation. If not used in moderation, they result in a hellish jumble of entries in the wp-options table. Instead of using many discreet entries, an “options” object or array should be serialized into a set_option() call. While this may be overkill for a very simple plugin, once you get to any number of options it is a necessity.

2: No NONCEs
This is such an offensive mistake it makes me cry a little. As I(and Mark Jaquith and Vladimir Prelovac and many others) have written, using nonces is a must for any plugin which takes options from a user. Strangely enough, the nonce field is included, but then never checked (WTF?). Without the use of nonces, a nefarious user can arbitrarily change your plugin settings, and possibly even take over your database. Particularly if there are

3: No SQL Injection Security
Not having nonces is one thing. It’s bad, but I’ve forgotten from time to time myself. But not even escaping input before putting it in the database is, to quote “Yahtzee”, pants on head retarded!. Escaping user input is probably the single simplest and most basic security. It’s the last line of defense against people replacing your header image with horrific porn. Don’t write code without it.

4: Unnecessary use of global variables
This exists on two levels:
A) In purpose.php, both $wp_query and $post are called into the function via global. While this probably won’t do any harm, globally including everything everywhere is what made earlier version of php such a nightmare and it looks messy. If you don’t need a variable, don’t include it.
B) $var1-$var4 are declared to static values at the top of the file where they will clutter up the global namespace. They are never accessed from their global context, they are always get_option()ed. In fact, the only reason they are declared here is so that they can be add_optioned into options. EVERY TIME THE CODE RUNS. That’s four superfluous function calls every single time the file loads. This should be done once, on plugin install. Not every single time WordPress loads a page.

5: Include vs. Require
I realize that this is pretty nit-picky, but, when including files that are required for the program to function, the appropriate function is require() (or better yet, require_once(). If the file is missing, the code to break while trying to include the file, instead of mysteriously throwing messages about redeclaration of functions.

In conclusion, while the concept of a plugin framework is laudable, Fire Studio’s implementation falls far short of any reasonable mark of best practices, and only serves to encourage worst practices.

1) Static JavaScript. Instead of using the *.js.php which I have been using, javascript templates are being parsed by a small JS templating engine and stored as static files. This should significantly cut down on the amount of time spent processing php. Each file is stored as filename-hashcode.js.

2) Bootstrapper. People have told me a) They don’t think it’s fair to count the size without jQuery (it probably isn’t) and b) They don’t want to load jQuery on every pageload. To that end, the default install will now include a tiny bootstrapper (hopefully under 200 Bytes) that doesn’t load the player until and unless someone actually wants to use them.

3) Single audio player. For legacy browsers, there will only be one player, the awesome Sound Manager 2 player. User interface will be provided via jQuery based controls. Using a single “invisible” player allows a consistent JavaScript interface for all the players, and, should help to

4) <audio> tag based player. This will probably be beta only in 0.7, but I want to move towards using the native browser implementation instead of flash. Using a javascript interface and sound manager means it should be a seamless user experience, and the only difference is whether the JavaScript is calling the sound manager js or the <audio> tag.

I’ll be at WordCamp in San Francisco this weekend, anyone who wants to bend my ear about a feature can do so. Twitter at jwriteclub to get together.

As always, head over the the µAudio page at Wordpress.org or grab a copy from my µAudio page.

Head over the the µAudio page at Wordpress.org or grab a copy from my µAudio page.

Those of you waiting for the 0.7 release with the new sidebar widget shouldn’t have too much longer to wait. It’s coming with some major changes to how µAudio handles javascript. There will probably be a 0.6.2 release in the next week or so to fix any lingering bugs with the current implementation, and then 0.7 will have the new code.

Head on over to Wordpress.org or grab a copy from my µAudio Page.

• New Dashboard Widget
• Better number formatting
• 2.7 Compatible

Mosey over to the µMint page at wordpress.org or grab a copy from my µMint page.

I am happy to announce the release of a new plugin today: µMint. Like my other µ plugins, it’s a small, lightweight plugin to (hopefully) do something useful. In this case, µMint allows you to painlessly integrate Shaun Inman’s Mint into Wordpress. Unlike the currently existent solution, µMint does not make use of iframes. Instead, µMint is designed to work with both the Exposé API, by Adam Livesley as well as the included API, µAPI for Mint. Furthermore, there is a development version of a connector whcih allows Wordpress to directly query Mint, when the two share a database.

µAPI does more than just get your stats, it displays them for you. You can have your choice of a sidebar widget, a dashboard widget, or both. And, in the µ plugin philosophy, stats are cached periodically to reduce the number of API calls required.

I think that µAPI neatly bridges the gap between Mint and Wordpress, and I hope you’ll give it a try.

µMint for Wordpress Dashboard

You can get a version from my µMint Page.

Installation Instructions.

And yes, screenshot 5 is real, the minimal installation is just 495 Bytes!

Thanks for all you patience.

To get started with WordPress nonces, we need a plugin administration page. To make life easier for the budding developer, I’ve created a basic plugin called “WP Nonce Playground.” ('WP Nonce Playground: Part 1'). Upload and activate the plugin. Under “Settings” you will have a new tab: “WP Nonce”. On this screen you can set a check box and some text.

Unfortunately, this is not really secure, because it doesn’t check any credentials. Lets add some. To create a nonce, we’ll be using the wp_create_nonce($action) function. The $action parameter is optional, but without it the system is not nearly as secure. $action is a string, and you should create a unique $action for each different action which you will create

Open up wpn.admin.php. On line 61, add:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_setting'); ?>" />

This creates a hidden form field with the name wpn-update_settings and places a custom nonce in the value field. If you save the page, refresh, and examine the source, you’ll see the nonce in a hidden form field down at the bottom. Of course, we’re not actually checking it right now, so it’s not much use at the moment.

It’s easy enough to start checking the nonce, however. We use the companion to the wp_create_nonce($action) function, wp_verify_nonce($nonce, $action). Like wp_create_nonce, wp_verify_nonce does not explicitly require the $action parameter, however, whatever $action parameter was used to create the nonce must also be used for successful verification.

Back to wpn.admin.php. Replace lines 13 and 14 with:

if (!isset($_POST['wpn-update_settings'])) die("Hmm ..., looks like you didn't send any credentials");
if (!wp_verify_nonce($_POST['wpn-update_settings'],'wpn-update_settings')) die("Hmm ..., looks like you didn't send the right credentials");

Go ahead and save the page. Visit it and update the options.

Well, that didn’t work! If you copied and pasted exactly what I wrote above, you get the error:

Hmm …, looks like you didn’t send the right credentials

The eagle eyed among you will notice that on line 61, we created a nonce with the $action of ‘wp-update-setting’, but everywhere else, including in wp_verify_nonce, we used ‘wp-update-settings‘.

Update wpn.admin.php, line 61 to:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_settings'); ?>" />

Lo and behold, it works!

If your wpn.admin.php isn’t working, a working version with all the changes made in the part is also in the plugin folder at wpn.admin.final.php. You can rename this to wpn.admin.php to make the plugin work.

More:

• Part 0 — Background
• Part 1 — Basic Nonce Usage

WordPress Nonce Tutorial Home