The Problem

timthumb.php doesn’t know how to deal with the blogs.dir directory in which WordPress stores images in Multisite. Ideally, you should update your theme to point to the correct directory, or even use WordPress’ built in thumbnail handling. However, if you don’t want to mess around with all of this then simply download timthumb.php and replace your timthumb.php. Problem solved.

How it works

This slightly modifies the function which timthumb uses to find the path to the specified image file. If it detects a blogs.dir directory, it looks through each individual “site” directory until it finds the one which contains the image in question.

There is one potential gotcha in this implementation. If you have identically named files, uploaded in the same month in two different “sites”, this script will use the first one it finds, which may, or may not be the one you intended.

Download

1: Overuse of the options table:
get_option() and set_option() are wonderfully useful features, if used in moderation. If not used in moderation, they result in a hellish jumble of entries in the wp-options table. Instead of using many discreet entries, an “options” object or array should be serialized into a set_option() call. While this may be overkill for a very simple plugin, once you get to any number of options it is a necessity.

2: No NONCEs
This is such an offensive mistake it makes me cry a little. As I(and Mark Jaquith and Vladimir Prelovac and many others) have written, using nonces is a must for any plugin which takes options from a user. Strangely enough, the nonce field is included, but then never checked (WTF?). Without the use of nonces, a nefarious user can arbitrarily change your plugin settings, and possibly even take over your database. Particularly if there are

3: No SQL Injection Security
Not having nonces is one thing. It’s bad, but I’ve forgotten from time to time myself. But not even escaping input before putting it in the database is, to quote “Yahtzee”, pants on head retarded!. Escaping user input is probably the single simplest and most basic security. It’s the last line of defense against people replacing your header image with horrific porn. Don’t write code without it.

4: Unnecessary use of global variables
This exists on two levels:
A) In purpose.php, both $wp_query and $post are called into the function via global. While this probably won’t do any harm, globally including everything everywhere is what made earlier version of php such a nightmare and it looks messy. If you don’t need a variable, don’t include it.
B) $var1-$var4 are declared to static values at the top of the file where they will clutter up the global namespace. They are never accessed from their global context, they are always get_option()ed. In fact, the only reason they are declared here is so that they can be add_optioned into options. EVERY TIME THE CODE RUNS. That’s four superfluous function calls every single time the file loads. This should be done once, on plugin install. Not every single time WordPress loads a page.

5: Include vs. Require
I realize that this is pretty nit-picky, but, when including files that are required for the program to function, the appropriate function is require() (or better yet, require_once(). If the file is missing, the code to break while trying to include the file, instead of mysteriously throwing messages about redeclaration of functions.

In conclusion, while the concept of a plugin framework is laudable, Fire Studio’s implementation falls far short of any reasonable mark of best practices, and only serves to encourage worst practices.

1) Static JavaScript. Instead of using the *.js.php which I have been using, javascript templates are being parsed by a small JS templating engine and stored as static files. This should significantly cut down on the amount of time spent processing php. Each file is stored as filename-hashcode.js.

2) Bootstrapper. People have told me a) They don’t think it’s fair to count the size without jQuery (it probably isn’t) and b) They don’t want to load jQuery on every pageload. To that end, the default install will now include a tiny bootstrapper (hopefully under 200 Bytes) that doesn’t load the player until and unless someone actually wants to use them.

3) Single audio player. For legacy browsers, there will only be one player, the awesome Sound Manager 2 player. User interface will be provided via jQuery based controls. Using a single “invisible” player allows a consistent JavaScript interface for all the players, and, should help to

4) <audio> tag based player. This will probably be beta only in 0.7, but I want to move towards using the native browser implementation instead of flash. Using a javascript interface and sound manager means it should be a seamless user experience, and the only difference is whether the JavaScript is calling the sound manager js or the <audio> tag.

I’ll be at WordCamp in San Francisco this weekend, anyone who wants to bend my ear about a feature can do so. Twitter at jwriteclub to get together.

Head over the the µAudio page at WordPress.org or grab a copy from my µAudio page.

Those of you waiting for the 0.7 release with the new sidebar widget shouldn’t have too much longer to wait. It’s coming with some major changes to how µAudio handles javascript. There will probably be a 0.6.2 release in the next week or so to fix any lingering bugs with the current implementation, and then 0.7 will have the new code.

Head on over to WordPress.org or grab a copy from my µAudio Page.

• New Dashboard Widget
• Better number formatting
• 2.7 Compatible

Mosey over to the µMint page at wordpress.org or grab a copy from my µMint page.

And yes, screenshot 5 is real, the minimal installation is just 495 Bytes!

Thanks for all you patience.

To get started with WordPress nonces, we need a plugin administration page. To make life easier for the budding developer, I’ve created a basic plugin called “WP Nonce Playground.” ('WP Nonce Playground: Part 1'). Upload and activate the plugin. Under “Settings” you will have a new tab: “WP Nonce”. On this screen you can set a check box and some text.

Unfortunately, this is not really secure, because it doesn’t check any credentials. Lets add some. To create a nonce, we’ll be using the wp_create_nonce($action) function. The $action parameter is optional, but without it the system is not nearly as secure. $action is a string, and you should create a unique $action for each different action which you will create

Open up wpn.admin.php. On line 61, add:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_setting'); ?>" />

This creates a hidden form field with the name wpn-update_settings and places a custom nonce in the value field. If you save the page, refresh, and examine the source, you’ll see the nonce in a hidden form field down at the bottom. Of course, we’re not actually checking it right now, so it’s not much use at the moment.

It’s easy enough to start checking the nonce, however. We use the companion to the wp_create_nonce($action) function, wp_verify_nonce($nonce, $action). Like wp_create_nonce, wp_verify_nonce does not explicitly require the $action parameter, however, whatever $action parameter was used to create the nonce must also be used for successful verification.

Back to wpn.admin.php. Replace lines 13 and 14 with:

if (!isset($_POST['wpn-update_settings'])) die("Hmm ..., looks like you didn't send any credentials");
if (!wp_verify_nonce($_POST['wpn-update_settings'],'wpn-update_settings')) die("Hmm ..., looks like you didn't send the right credentials");

Go ahead and save the page. Visit it and update the options.

Well, that didn’t work! If you copied and pasted exactly what I wrote above, you get the error:

Hmm …, looks like you didn’t send the right credentials

The eagle eyed among you will notice that on line 61, we created a nonce with the $action of ‘wp-update-setting’, but everywhere else, including in wp_verify_nonce, we used ‘wp-update-settings‘.

Update wpn.admin.php, line 61 to:

<input name="wpn-update_settings" type="hidden" value="<?php echo wp_create_nonce('wpn-update_settings'); ?>" />

Lo and behold, it works!

If your wpn.admin.php isn’t working, a working version with all the changes made in the part is also in the plugin folder at wpn.admin.final.php. You can rename this to wpn.admin.php to make the plugin work.

More:

• Part 0 — Background
• Part 1 — Basic Nonce Usage

WordPress Nonce Tutorial Home

Fortunately, WordPress supports Numbers used ONCE (nonce) as a way of keeping nonces (pedophiles, hackers, and people who talk at the theater) out. Follow along as I show you how to keep your plugin from being the door to hackers.

Since early in the version 2 branch wordpress has supported nonces, unfortunately, the resources on using them effectively are all too scarce. In actuality, they are quite easy and simple to use.

According to Wikipedia, a Crytographic nonce:

[Is] a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. … To ensure that a nonce is used only once, it should be time-variant (including a suitably granular timestamp in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value.

In WordPress terms, a nonce is either an md5 HMAC or a plain md5 hash. In general a WP nonce is valid for twelve hours but expires after 24 hours. Thus the current or previous nonce may both be used. While the wp_generate_nonce($action) function includes several internal components to make the nonce more secure, it also allows the developer to specify an action for the nonce. An action is simply a string which is included in the hash calculation. By creating a separate action for each edit page, etc., a hacker needs to intercept the nonce specific to the action they wish to perform. Thus, even if they intercept a nonce, there is only one (or a very limited number) of nefarious actions which they can perform.

More:

• Part 0 — Background
• Part 1 — Basic Nonce Usage

WordPress Nonce Tutorial Home

A new, improved and very throughly tested 0.3 branch is out. Check out my µAudio page, or head over to µAudio at wordpress.org for a copy of your very own.

Thanks to WordPress.org user jonner for pointing out a couple of bugs.