I’ve submitted a plugin for evaluation and it was not accepted because it wants some fixes with information sanitization and escaping.
One of many flagged examples was this line:
echo "<choice worth="$result->ID" $chosen>$result->display_name</choice>n";
(I am guessing due to this worth: $result->display_name)
third to final line of this operate:
operate get_users_with_role( $roles, $current_selected ) {
world $wpdb;
if ( ! is_array( $roles ) )
$roles = array_walk( explode( ",", $roles ), 'trim' );
$sql="
SELECT ID, display_name
FROM " . $wpdb->customers . ' INNER JOIN ' . $wpdb->usermeta . '
ON ' . $wpdb->customers . '.ID = ' . $wpdb->usermeta . '.user_id
WHERE ' . $wpdb->usermeta . '.meta_key = '' . $wpdb->prefix . 'capabilities'
AND (
';
$i = 1;
foreach ( $roles as $position ) {
$sql .= ' ' . $wpdb->usermeta . '.meta_value LIKE '%"' . $position . '"%' ';
if ( $i < rely( $roles ) ) $sql .= ' OR ';
$i++;
}
$sql .= ' ) ';
$sql .= ' ORDER BY display_name ';
$outcomes = $wpdb->get_results( $sql);
foreach ($outcomes as $outcome){
$chosen = null;
if($result->ID == $current_selected){
$chosen = "chosen ="chosen"";
}
echo "<choice worth="$result->ID" $chosen>$result->display_name</choice>n";
}
}
Do we actually want to flee the information that was already entered within the WP database, particularly usernames and their integer ids?