Plugin Tutorials 301 - Integrating With e107
From e107 Wiki
e107 Wiki: English | Русский | Deutsch | Français | Magyar | Português | Български | Česky | Nederlands | Ελληνικά | Italiano | Norske | Polska | Slovenščina | Español | Svenska | Translate: Wiki | Page
Tutorial 301 - Rough notes - integrating with e107
Plug-ins must include class2.php in their main page(s), but not in other code (e.g. menus, plugin.php, etc.).
Many database actions are ready for use. The database server is already connected because the CMS is using it. The database name is as defined for e107 in the installation and that is what we are using for this tutorial. You will need to specify the table to use in your select statements.
This tutorial uses
You should use The e107 database API for your database access rather than the standard PHP functions.
Administrator pages (such as admin_config.php) need to be prefixed with admin_ in order to pick up the administrator theme. Alternatively, you can use
Something on auth.php (Workaround on a problem)
The auth.php file should be included in most, if not all, administration pages. But as with much PHP programming, order of includes is important.
The auth.php file is responsible for performing a number of security checks, and then printing headers and the top of the HTML page. In most cases, your code should include other files (like languages and other libraries) before including auth.php. (And since these files are sent before the HTML headers, you should take care to program error handling accordingly.)
In the above example, the languages file is included before auth.php. Plug-in authors report that doing the includes in the reverse order (auth.php first, and language.inc.php second) might produce undesired results.
Writing safe plug-ins
Software is as strong as the weakest link.
Some plug-ins are vulnerable because hackers use their exploits. There are two basic rules for avoiding SQL-injections in your plugins:
1. Any (int) variables in SQL-queries which users/administrators send to you PHP script ($_POST, $_GET, $_COOKIES, e107 e_Query) must be used with intval().
This applies not only for "SELECT" queries, but also for "DELETE", "INSERT" and "UPDATE". If you will stick to these simple rules, there will be no danger for any SQL-injection at all!
What you need to know about PHP Security
With great power comes big responsibility. Please read this recommended PHP security tutorial on PHPfreaks.com.