We’ve had prepared statements for years, but the WordPress ecosystem still relies on mysqli_real_escape_string() and it’s scary. Can you find the security issue in this, deceivingly simple, code snippet? It’s related to text encoding. Adding backslashes to $_POST[‘new_content’] string can corrupt the data at best, and open up a SQL injection vulnerability at worst. Here’s…
During my Christmas break, I’ve turned WordPress into a markdown editor, a git client, and a git server. It’s all dependency-free PHP code. It works in Playground, on any cheap hosting, and it could be merged into WordPress core. Why would I do that? I want Notion that’s free, offline first, and where I own…
I’ve used Google Gemini to generate a MySQL query parser in PHP and I’ll tell you exactly how. It took two nights, ~$520, and yielded a 1MB MySQLParser.php file that worked out of the box, but not without bugs. This post is just a summary. If you want the full story. check out the original…
Adjusting the HTML markup in PHP has always been a struggle, but WordPress 6.2 makes it a breeze with the WP_HTML_Tag_Processor API. For example, here’s how you can add an alt=”” attribute to an <img /> tag: The PHP code snippets in this post are live! You can edit and re-run them to your heart’s…