I’m building my site locally.
Since I want users to be able to write only specific terms in the search bar, I put a jQuery script in the wp-content\themes\sitename\js folder. The script works fine, but I noticed that the script can be bypassed in a simple way.
For example, suppose that the search bar accepts only strings with 3 characters, so if I write abcd and press enter I get an error, but if I write abc and press enter then it works and the Search Results page will have the url
http://localhost/sitename/?s=abc
But it’s enough to modify the url to be
http://localhost/sitename/?s=abcd
and press enter, to bypass the search bar script.
How to avoid this?
I have 2 ideas, use the function get_search_query, or remove the keyword from the url so that independently from the keyword the url will be, for example
http://localhost/sitename/search
But I don't know how to use the function or how to remove the keyword from the url (if it is possibile).
I’m building my site locally.
Since I want users to be able to write only specific terms in the search bar, I put a jQuery script in the wp-content\themes\sitename\js folder. The script works fine, but I noticed that the script can be bypassed in a simple way.
For example, suppose that the search bar accepts only strings with 3 characters, so if I write abcd and press enter I get an error, but if I write abc and press enter then it works and the Search Results page will have the url
http://localhost/sitename/?s=abc
But it’s enough to modify the url to be
http://localhost/sitename/?s=abcd
and press enter, to bypass the search bar script.
How to avoid this?
I have 2 ideas, use the function get_search_query, or remove the keyword from the url so that independently from the keyword the url will be, for example
http://localhost/sitename/search
But I don't know how to use the function or how to remove the keyword from the url (if it is possibile).
Share Improve this question edited Jun 14, 2019 at 13:14 sound wave asked Jun 14, 2019 at 12:58 sound wavesound wave 2151 gold badge3 silver badges15 bronze badges 3- 2 This would need to be implemented in the server side PHP, a JS based solution might provide client-side validation, but you shouldn't rely on client-side restrictions to enforce things – Tom J Nowell ♦ Commented Jun 14, 2019 at 13:33
- Thank you for the comment. So isn't enough to show an error page when the search query does not respect the rules set in my .js file? Or, is there a way to know if the search query was inserted in the url rather than in the search bar, and then show an error page where it is written that searches through url editing is forbidden? Thanks – sound wave Commented Jun 14, 2019 at 17:53
- 1 Look at it this way, if I turn off JS in my browser or your JS file fails to load, nothing would stop me breaking your validation rule, so it has to be server side – Tom J Nowell ♦ Commented Jun 14, 2019 at 18:03
1 Answer
Reset to default 1You want to use the pre_get_posts action to modify the search query on the server side. The pre_get_posts Codex have some examples to get you started.
To target the main search query, try this:
function my_search_filter( $query ) {
if ( ! is_admin() && $query->is_main_query() ) {
if ( $query->is_search ) {
// Use $query->set(); to do stuff here.
}
}
}
add_action( 'pre_get_posts', 'my_search_filter' );