php - Is it needed to use wordpress filesystem in creating files and directories inside a plugin?Get the solution ↓↓↓
I'm currently developing a WordPress plugin which in part of it I need to create directories and save image files that I have got from the front end.
I receive image files inside API endpoint and attempt to save those images inside a safe location.
I know there are two ways of doing this : WordPress Filesystem API and usual PHP file functions.
I think for security reasons I've to use WordPress Filesystem API but I don't know how should work with
request_filesystem_credentials function because it needs some parameters like $form_post but I don't know what this parameter exactly is while there is no form. It's all Ajax request and I have the file inside my API endpoint!
Or maybe it is good to go with usual PHP file functions?!
In a perfect world, yes, you should do it that way. In reality, specific to your scenario, it just isn’t feasible because, as you noted, you are a background task. Instead, I would code defensively, log my failures, and provide a UI for admins to audit and/or receive alerts.
I would also call get_filesystem_method() to see if it
direct. When you call that function, WordPress will actually attempt writing a temporary file, and check the file’s ownership to see if it is optimal. I’d read through the whole function’s code to see what it all does, too, including extra information that it stashes in globals. You don’t need to call this on every write, but I’d do it on activation and I’d have a health check/status area to alert admins, and I think if this doesn’t return
direct I’d set an "option" that my plugin would check that would disable writing.
Avoid WordPress constants for paths if you can, and instead use official functions such as wp_upload_dir. See the docs for parameters and return values, and you specifically probably don’t want to create the time sub folder, you just want to get the return base directory. That function is great, especially in Multisite, because folders aren’t always where you expect them. Actually,
wp_get_upload_dir might be even better, but it is good to know the deeper one.
WordPress also has a bunch of wrapper functions for PHP core functions such as
wp_mkdir_p, and it is good to know those.
Lastly, be very careful with the file system and what parameters you blindly accept from outside. For instance, a third party/API might say the file should be called
example.jpg which is probably okay, but they could also say it is
../../../wp-config.php and you could bork the system. I personally use this in all of my projects. There’s a bunch of methods including safely joining paths without have to worry about extra or missing slashes, and it is also cross platform which is great for me because I dev on Windows. When you write to disk, make sure you are isolated to your folder or it’s children.
Share solution ↓
Link To Answer People are also looking for solutions of the problem: undefined array key
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.