Allow Users To Submit To Your WordPress Site: A Quotes Plugin

In this tutorial, you'll learn how to create a plugin that allows users to submit form data. You'll also learn about security by using nonces.


What You'll Learn

  • How to display and process a form using a shortcode
  • Use nonces to secure user submissions

It's simpler than you think

Shortcodes are often used to display simple data, but because they are actually a way to branch out of a page or post and execute code, they can be used for quite complex tasks, such as displaying and processing forms.

We'll construct a plugin that will allow logged in users to:

  • submit quotes for moderation and publication
  • view their unpublished quotes
  • delete their unpublished quotes

Here's what we're aiming for:

All code is available in the plugin source at the top of this tutorial.


Step 1 Set-Up the Plugin

The WordPress plugin folder is located in your WordPress installation folder at wp-content/plugins. Create a folder inside the plugins folder. Let's call it submit-user-quotes. Now, create the plugin file itself. Let's call it submit_user_quotes.php. The path to your plugin file should now be: wp-content/plugins/submit-user-quotes/submit_user_quotes.php

Every Wordpress plugin needs some header information so WordPress can identify it and make it available on your dashboard plugin page.

You can edit this info as per your own requirements.

You'll see the plugin listed like this:


Step 2 Plugin Initialization Function

We're going to create a custom post type named Quotes to hold our quotes and a custom taxonomy named quote_category. This will enable cleaner administration of the quotes than simply assigning them to normal posts and categories.

The Init Hook and Function

We'll use the following initialization code to create our custom post type and custom taxonomy:

What this code does:

We will now have a Quotes menu in our admin dashboard and a way to administer quotes and their categories.


Step 3 Define A Shortcode

Next, we'll define a shortcode that will allow us to display (and process) the user quotes submission form in a post or page:

Here we use the WordPress add_shortcode function to define a shortcode named suq_form and a function named suq_form_shortcode that will be called whenever WordPress encounters the shortcode [suq_form] in a post or a page.

Before we look at the form display and processing functions, let's talk a little about...


Security

Because our plugin accepts data from the user, we implement the following security mechanisms:

  • only logged-in users have access to the post submission form
  • we use nonces to verify that the forms were generated by our plugin
  • quotes are submitted using wp_insert_post which sanitizes the data before saving it to the database
  • users can only view their own quotes, and nonces prevent them from deleting any other user's quotes

Nonces

A nonce is a number used once. We use them to verify that the data coming back to us is actually from the forms we've created.

Here we generate a nonce field using wp_nonce_field that will be included in our form as a hidden field:

Because it's now a hidden field in our form, it'll come back to us when the form is submitted. We can then check that the nonce is valid using wp_verify_nonce:

That will return true if the nonce verifies.


Step 4 The Main Function

This is the function called by our shortcode. It displays and processes the quote submission form and the quote listing/deletion form. We'll take it in bite-sized pieces and in Step 5 we'll look at the helper functions.

  • check to see if the user is logged in
  • grab the WordPress $current_user variable which we'll need to get our user ID
  • if the quote creation form has been submitted, there'll be a suq_form_create_quote_submitted field which was generated by our wp_nonce_field function. We can then verify the nonce and proceed to process the submitted quote
  • do some basic validation by making sure the quote author and quote text fields both have something in them, if not, display error message
  • construct an array setting the post status to pending (the admin will now have to approve it for publication), setting the post type to quotes (our custom post type), and setting the author of the quote to the currently logged-in user
  • if the quote was successfully inserted, set the category for the quote and display a success message
  • if the quote delete form has been submitted, there'll be a suq_form_delete_submitted field which was generated by our wp_nonce_field function. We can then verify the nonce and proceed to process the array of quotes checked for deletion
  • we check that we actually have some quotes checked for deletion by testing $_POST['suq_delete_id']. If so, we hand them off to the suq_delete_quotes function (see Step 5)
  • if quotes were deleted, we display a success message
  • we output the quote creation form
  • finally, we output the quote listing/deletion form by passing the user ID to the suq_get_user_quotes function (see Step 5)

Step 5 Helper Functions

Here we'll look at the functions that generate the forms and the function that deletes the selected quotes.

  • the function accepts 3 optional arguments for repopulating the form fields. This is a convenience for the user.
  • a nonce field is output which we check when the form is submitted
  • we output a dropdown for the quote categories by calling suq_get_quote_categories_dropdown (see next function)
  • the function accepts 2 arguments including the element ID of the currently selected category
  • we use the WordPress wp_dropdown_categories function to create a dropdown that lists the quote categories from the quote_category taxonomy (our custom taxonomy)
  • accept the user ID because we need to get a listing of quotes for the current user only
  • create $args to specify our user, the post type of quotes and quotes that are pending (not yet published by the admin)
  • execute a custom query using WP_Query
  • return false if our query returns no quotes
  • start a form and generate a nonce for the form
  • loop through the quotes making sure we also grab the category of the quote
  • generate a nonce for the quote delete checkbox, assigning a unique name for the nonce by concatenating the post ID
  • output a table row containing the quote info as well as a delete checkbox

Why add a nonce for each quote?

Forms can be manipulated in the browser to post back unexpected data. In our case, each delete checkbox is assigned the value of a post. But what if a malicious user altered that value and caused our delete function to remove a post that was not actually listed?

One way to avoid this, is to use nonces for each row of post data, ensuring that the nonces are uniquely named with the post value to be deleted. We then verify the nonce upon form submission to make sure it's a genuine return value.

  • the function accepts an array of quote IDs to delete
  • each quote ID is checked to see if a nonce was generated for it
  • if the nonce verifies, we trash the quote using the Wordpress function wp_trash_post

Step 6 Some Styling

Just drop this style info into the style.css file in your theme folder:


Step 7 Try It Out

Activate the plugin, pop the shortcode onto a page, log into your site, and test it out.

The full plugin code source and a demo site link is listed at the top of this tutorial.

The source folder also contains a Wordpress page template with a custom loop that displays published quotes for all users.


Final Thoughts

  • the quotes plugin could be improved by offering an edit option. As it is, users can only delete their quotes
  • you could also include an image upload option to brighten things up
  • perhaps add some custom fields to the quotes post type for quote meta info

Useful Links

Tags:

Comments

Related Articles