Does the Admin Ads Plugin Process PHP? It would make sense

Hi,

Does the Admin Ads Plugin Process PHP?
It would make sense to do so, since only the super admin can manage it anyways, so it would not be a security threat at all.

Thanks,
Adrian

  • aristath

    Hello there @taropaa, I hope you're well today!
    The problem with that is you'd have to do eval on that field in order to run the PHP... which would allow you to completely wreck your site.
    As mentioned in the PHP Docs:

    Caution: The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

    Not to mention that the performance of eval() is not that good and would slow down your site.

    With that in mind, we do not allow executing PHP code there.
    Most (if not all) ad-servers (including OpenX - now called Revive) have a JS implementation, so allowing admins to add ads via PHP is redundant.
    After all, if you really need to add ads via PHP you can always do that directly in your template files. :slight_smile:

    I hope that helps!

    Cheers,
    Ari.

  • aristath

    I see what you mean...
    I have notified the plugin developer on this issue requesting for his feedback.
    Please keep in mind though that plugin developers have a lot of responsibilities so this might take a bit longer than a normal ticket.

    If I may offer an alternative though...
    You could write a custom function that exposes the current user's username in a custom URL, and then use that in your JS script in your ads.

    Not ideal... but it would work. :slight_smile:

    I hope the plugin developer will be able to help more that I was...

    Cheers,
    Ari.

  • Dharmendra

    Hello taropaa,

    Hope you are well! and sorry for the delayed response.

    As aristath has described earlier, The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. so you will need to be very careful while adding the PHP code.

    To accomplish this, you will need to change the core code of wp-content\plugins\admin-ads\admin-ads.php file line no. 76

    echo '<div class="wpmu-notice">'.stripslashes( $admin_ads_data ).'</div>';

    To

    echo '<div class="wpmu-notice">';
    	 	$admin_ads_data = stripslashes( $admin_ads_data );
    		if(strpos($admin_ads_data,"<"."?php")!==false){
    			ob_start();
    			eval("?".">".$admin_ads_data);
    			$admin_ads_data=ob_get_contents();
    			ob_end_clean();
    		}
    		echo $admin_ads_data;
    		echo "</div>";

    Hope it helps :slight_smile: Please feel free to ask more question if you have.