• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Why is [insert_php] unsafe?

nile

New member
Messages
3
Likes
0
Points
1
#1
Hello, I saw your note in the plugin settings saying that use of [insert_php] is not safe, but I would like to know why, so I can evaluate if I'm comfortable with having that risk on my site or not. Can you please explain why it is not safe? Thank you?

If you used our plugin from version 1.3.0, then you could use the old shortcodes [insert_php][/insert_php]; from version 2.2.0 we disabled this type of shortcodes by default, as their use is not safe. If you still want to execute your php code via [insert_php][/insert_php] shortcodes, you can enable this option.
 

Temyk

Developer & Support
Messages
1,129
Likes
42
Points
48
#2
Hello.

If you use the old shortcode [insert_php] you place all your PHP code directly in the post text. If your site is hacked or vulnerabilities are used, hackers can easily embed their code.
When using new shortcodes, this is no longer possible.
 

nile

New member
Messages
3
Likes
0
Points
1
#3
Great, thanks for that explanation.

I converted my PHP code to a snippet and then inserted it in the page using the shortcode for it. However, then I ran into a problem:

The PHP snippet includes an echo that has another shortcode (not an insert_php shortcode). When I have the PHP code in a snippet and then inserted into the page, it simply prints the shortcode on the page, instead of processing it and inserting what the shortcode is supposed to create.

However, if I use the old [insert_php] wrapper method around the PHP code within the page itself, then the shortcode in the echo is correctly inserted.

Is there a way to solve this?
 

Temyk

Developer & Support
Messages
1,129
Likes
42
Points
48
#4
Instead of echo, use do_shortcode('[some_shortcode]') ;