Tom McFarlin

Software Engineering in WordPress and Musings on the Deep Life

Page 2 of 417

Is It Worth Using ChatGPT to Help Secure Source Code?

August 16, 2023 /

To cut straight to the point, I’m not going to say we need to rely on AI tools to help us to write truly secure code. This isn’t to say we can use tools like ChatGPT to help secure source code, but given how these utilities are trained via their LLMs, there’s only so much they can provide. In short, don’t short change security analysts who are, by nature, trained in this very thing.

That said, I’ve been using tools such as ChatGPT and other AI developer tools to help make recommendations on making code more secure. I’ll give a basic example of what I provided, what it produced, and my thoughts on it.

Note this is but a single, isolated, and simple case so there’s only so much that it can recommend. The bottom line, for me, is not so much the code it recommended but how it offered to change that I’d originally written (and then researching the why it opted to use certain function calls over others).

The Intent of the Code

In the function I’m going to share, the purpose is to look at data in the REQUEST_URI of the $_SERVER array, separate the components of the URI, and then analyze them to determine what best course of action to take.

Namely, do we break it a part and redirect to another page or do we duck out of the functionality because it’s malformed or doesn’t fit with the scheme of the rewrite rule I have in place.

The Code

The Initial Function

I wrote the initial function like this:

add_action('template_redirect', function() {
  $requestUri = $_SERVER['REQUEST_URI'];
  $requestUriParts = array_filter(explode('/', $requestUri));

  if (
    count($requestUriParts) === 2 && 
    $requestUriParts[0] === 'report' && 
    is_numeric($requestUriParts[1])) {
        $userId = intval($requestUriParts[1]);
        include plugin_dir_path(__FILE__) . 'templates/report.php';
        exit;
    }
});

Granted, I made some concessions to keep it relatively simple. That is, there are no exception handling and there are no conditionals to handle the case when indexes of the array are invalid.

But part of this is to see just how much AI can improve the code above. They key things to take away, despite it not handling situations outside of the conditional, are:

  • I’m verifying the array has the proper number of parts,
  • The first index of the array is report,
  • The second index of the array is an integer,
  • And if all of the above is true, then we’ll redirect to a custom template.

Again, there are some immediate issues that you can spot with this (such as the case of strings, the range of integers for user IDs, and if the file even exists.

But I digress. This is what I fed into ChatGPT to help secure source code.

The Secured Code

Given the code above, this is what ChatGPT produced:

add_action('template_redirect', function () {
    $requestUri = filter_var($_SERVER['REQUEST_URI'], FILTER_SANITIZE_URL);
    $requestUriParts = array_values(array_filter(explode('/', $requestUri)));

    if (
        count($requestUriParts) === 2 &&
        strtolower($requestUriParts[0]) === 'report' &&
        ctype_digit($requestUriParts[1])
    ) {
        $userId = intval($requestUriParts[1]);

        // Validate $userId and ensure it's within an appropriate range
        if ($userId > 0 && $userId <= 1000000) { // Adjust the upper limit as needed
            $templatePath = plugin_dir_path(__FILE__) . 'templates/report.php';

            // Check if the template file exists before including it
            if (file_exists($templatePath)) {
                include $templatePath;
                exit;
            } else {
                // Handle the case where the template file is missing
                die('Report template not found.');
            }
        } else {
            // Handle invalid user IDs
            die('Invalid user ID.');
        }
    } else {
        // Handle invalid URLs
        die('Invalid URL.');
    }
});

Some of the things that immediately jump out at me in terms of improving the code are:

  • FILTER_SANITIZE_URL
  • strtolower on the report component of the URL
  • ctype_digit rather than is_numeric
  • Verifying a proper range of user IDs
  • Verifying the template file exists
  • Handling each case where it could fail

Now in terms of security, I don’t know where this would fall given that it’s not writing or reading data so much as sanitizing and validating it before redirecting a user to a page that should exist.

But I did like the steps that it took as they are things that we should be implementing naturally as engineers. Namely, sanitizing URL, verifying files exists, and making sure ID ranges are acceptable.

This is what struck me as the most interesting part though:

  • is_numeric. Determines if the given variable is a number or a numeric string. (A PHP string is considered numeric if it can be interpreted as an int or a float.).
  • ctype_digit. Checks if all of the characters in the provided string, text, are numerical.

Given the definitions above, we can verify that is_numeric(-5) would return true where ctype_digit(-5) would return false. Further, is_numeric(5.5) will be true and ctype_digit(5.5) will be false. This is important, especially when you’re working with non-negative whole numbers such as those that represent user IDs in a system such as WordPress.

I’m not recommending writing lazy code (like my example code above 🙃), feeding it into an AI system, and letting it do work for you. But if you’ve written something as strong and secure as you believe you can, then feeding that to an AI makes more sense as it can help take you a little further. And if you have a security analyst on your team, don’t hesitate to reach out to them for a code review.

For all the talk of AI replacing humans, we’re there yet – not in this field. But that’s not a discussion I care to have right now. If nothing else, using AI tools such as GitHub Copilot and ChatGPT to help secure source code isn’t a bad idea, but it’s not the best idea and it doesn’t replace someone who’s on your team. AI is going to be truly limited by its contextual knowledge of the environment and constraints of the system.

If anything, perhaps they are code assistants and nothing more.

WordPress Has No Templating Language (and That’s Okay!)

August 15, 2023 /

Most of us who have worked with WordPress for the last decade or so have lamented the lack of a templating language whenever it comes to front-end logic.

There are teams that have done this, such as Roots, and it’s admirable. It’s opinionated nature can make it incredibly easy to work with a project or more trouble than necessary. It depends on the project, the team, and so on. But I’m not here to talk about Roots. (Check it out if you have time.)

Anyway, as with most things in development, compromises can be made. Though there isn’t any native templating built into WordPress, this doesn’t mean we can’t introduce something approximating that when it comes to our frontend functionality.

First, remember that WordPress has a convention that if you prefix a function with ‘get’, then it means it’s going to retrieve the value for you, but it’s up to you to do something with the value. For example, get_the_content() will retrieve content for the post in question but it won’t actually render it. On the other hand, the_content() will retrieve the content and will render it.

I mention this because if you’re going to separate your logic in a similar way, it’s important to follow this convention (though I’m personally partial to the PSR12 way of naming functions with camelCase).

Secondly, remember that we’re now writing code in a time where it’s more than acceptable to mix multiple languages into a single file. This means that one file may include HTML, JavaScript, CSS, and maybe even some type of PHP. This isn’t how it’s always been and it isn’t how it has to be, but React ushered a lot of this into the mainstream.

All that to say, while it’s completely possible to set up your templates that look something like this:

<?php // Check $userId is set or can be retrieved in whatever way works for you. ?>
<li>Phone Number: <a href="tel:<?php echo get_user_meta($userId, 'phone_number', true) ?: 'Not Provided'; ?>"><?php get_user_meta($userId, 'phone_number', true) ?: 'Not Provided'; ?></a></li>
<li>Email Address: <a href="mailto:<?php echo strtolower(get_user_by('id', $userId)->user_email); ?>"><?php echo strtolower(get_user_by('id', $userId)->user_email); ?></a></li>

This is noisy and if you want to use those same function calls again, you’ll have to make sure they are used every single place throughout your codebase exactly as they are called here. Maybe that’s okay, maybe not.

If you’re building a large site or any application, it’s going to create more work than not, though.

You can separate the logic a bit so even though it’s not a full on templating language it still separates some of the rendering logic so the frontend isn’t so visually noisy. Plus, it allows you to update the code in one place rather than in every single template that uses it (yes, I know we could use partials or even some other smaller component of a partial that can be reused throughout the project but then you get into potential markup or design challenges with doing that).

This will make sure that the function is retrieve only the data that you need and leaves the rest of the markup and styling to be done elsewhere. Even better, it can be used in templates, in partials, or in fragments (or whatever they are called right now).

Anyway, this means that your template may look something like this:

<section id="contact-info">
    <ul>
        <li>Phone Number: <a href="tel:<?php echo getPhoneNumber($userId); ?>"><?php echo getPhoneNumber($userId); ?></a></li>
        <li>Email Address: <a href="mailto:<?php echo getEmailAddress($userId); ?>"><?php echo getEmailAddress($userId); ?></a></li>
    </ul>
</section>

And then the code behind the function call looks something like this:

/**
 * Retrieves the phone number associated with the specified user.
 *
 * @param int $user_id The ID of the user to retrieve the phone number for.
 *
 * @return string|false The phone number of the user, or false if not found.
 */
function getPhoneNumber(int $userId)
{
    return (
        get_user_meta($userId, 'phone_number', true) ?:
        'Not Provided'
    );
}

/**
 * Retrieves the email address associated with the specified user.
 *
 * @param int $user_id The ID of the user to retrieve the email address for.
 *
 * @return string|false The email address of the user, or false if not found.
 */
function getEmailAddress(int $userId)
{
    return strtolower(
        get_user_by('id', $userId)->user_email
    );
}

And though you’re not straight up calling a template in terms of using brackets and the properties of a model (which you technically could, but that’s another post), you’re at least still able to get the raw data with which you can work in your template.

Maybe the methodology discussed in this article strikes you as out of date, old, or even unfamiliar. And despite how I may have come off, I’m not necessarily against mixing languages in a single file, but I do think it’s important – in an application that has no templating language – to do what we can to incorporate a pattern of development that meets us half way.

It doesn’t require third-party dependencies and it doesn’t require a paradigm shift. Just keep the functionality required for retrieving and returning the data separate and have the presentation call said function. Then mark it up and style it however you want.

WordPress is a Foundation, Not a Framework

August 10, 2023 /

In 2016, I wrote a post about why WordPress is a foundation, not a framework. Though I don’t participate much on social media any more (I certainly lurk, but don’t converse), I’ll see things I’ve not thought about, things I’ve thought about, and things worth reconsidering.

And in an effort to continue writing more regularly and to revisit things I’ve previously written (because that’s healthy, right?), I thought I’d address something I recently read:

We need to stop thinking of WordPress as a CMS and start thinking of it as a framework.

There’s a litmus test as to what defines a framework and what defines a foundation

  • A framework doesn’t function until someone builds something using the tools it offers.
  • A foundation is an application that can run on its own without any additional functionality but it offers APIs that allows developers to build things on top of it.

To that end, WordPress is a foundation. Not a framework.

Note: It’s not that I don’t want to attribute the quote to the specific person out of disrespect; on the contrary, I’ve seen enough subtweeting and general unpleasant discourse online that I don’t want to spur that. It’s not about talking about the person; it’s about talking about the idea.

Yes, They’re Still Exciting: Headless WordPress Applications in 2023

August 9, 2023 /

In r/ProWordPress, OP asked a few questions around Headless WordPress in 2023. One question stood out the most:

Developers who develop headless WordPress sites, how are things going in 2023?

Given all that’s happened within the core WordPress application over the last few years – that is, with the Block Editor and Full Site Editing – it’s not only easy to lose sight this is functionality built into WordPress but there’s likely a portion of people onboarded into WordPress development who do almost nothing with this type of work.

Even with all of the excitement around the new editing tools and how much JavaScript has been introduced into WordPress core, building headless applications with WordPress is still something I find to be one of the most powerful aspects of working with the application.

Continue reading

The Deep Life: Me, A Case Study

August 8, 2023 /

Back in June, I wrote an article called Living Deeply, Writing Broadly and tagged it under TDL. I haven’t done much with that particular tag since writing that post, though.

Earlier this week, a close friend sent me the following text (with some context removed for the sake of keeping it concise):

Clear writing gives poor thinking nowhere to hide. A lack of understanding, which was previously invisible, becomes suddenly visible. You can’t simply take a few minutes here and there, get the gist of the problem, and expect to have clear writing. It doesn’t work that way.

How to Think Better: The Skill You’ve Never Been Taught

Not so long ago I used to write daily even if it wasn’t for this site. I’d write in a journal or in a notebook or a field guide just to get some thoughts done.

Not everything worth writing is necessarily worth publishing, but perhaps nearly everything deserving of serious consideration is worth putting into writing. At least in terms of working on or working out an idea.

Couple that with a recent podcast from Cal Newport in which he breaks down what he calls The Deep Life Stack along with many of the things I’ve been working to practice in my day-to-day for the last couple of years and you have somewhat of a structure for how I’ve been trying to organize this particular phase – or season, as some say – of my life.

If you listen to any of Newport’s podcasts or any others that talk about this type of stuff, they often cite a case study or multiple case studies throughout their episodes or book. So why not take the material I’m learning and turn myself into my own case study?

Continue reading
« Older posts Newer posts »

© 2023 Tom McFarlin

Theme by Anders NorenUp ↑