Change DB Query for WordPress plugin Participants Database
- Wynn Teo
- Jul 14, 2017
- 2 min read
Participants database is one of the WordPress plugin used to build and maintain a database of people. The database is configurable and allows you to customize fields that you may want to store for each record.
One of my client used this plugin to manage job seeker certifications. After the job seeker upload their certifications to the site, they can provide the link to prospective employer to view their individual certification info.
site:///job-seeker/?pdb=1
To do so, participants database provide shortcode [pdb_single], this shows a single record as determined by the record ID present in the URL used to access the page which is the pdb. From the example above, when employer visit the link /job-seeker/?pdb=1, system will query job-seeker certification info which record ID equal to ‘1’.
However, this creates a loophole where anyone with the base URL could manipulate the ID to access others. This is because the record ID is an auto-generated ID when a new record was created.
So, instead of using the record ID as the access key, we can modify the plugin to used a random generated private ID as the query condition. How to do that?
First solution, you can call a shortcode using the do_shortcode() function. This will give you a chance to dynamically set the ID of the record to get the information.
<?php echo do_shortcode( '[pdb single record_id=' . Participants_Db::get_record_id_by_term( 'private_id', sanitize_text_field( $_GET['pid'] ) ) . ' ]' ); ?>
Second solution, go to file ‘participants-database/classes/PDb_Single.class.php’ and replace the line below
$get_pdb = filter_input(INPUT_GET, 'pdb', FILTER_VALIDATE_INT, array('options' =>; array('min_range' =>; 1)));
to
$get_pdb = filter_input(INPUT_GET,'pdb');
$record_id = Participants_Db::get_record_id_by_term( $this->shortcode_atts['term'], $id );
to
$record_id = Participants_Db::get_record_id_by_term( 'private_id', $id );
Now you will be able to access the page with the link ‘site:///job-seeker/pdb=ZURZ1' This link will return you exactly the same information.
Comments