PHP/Wordpress: How can a URL delete a post?

Question

I'm trying to wrap my head around how simply loading a URL can delete or modify comments or posts, which I presume are stored in the database.  I've seen this ability referred to in several places:
https://codex.wordpress.org/FunctionReference/getdeletepostlink
class-wp-comments-list-table.php:  $trashurl = escurl( $url . "&action=trashcomment&$del_nonce" );
The Wordpress codex page on Nonces states: "For an example of how an nonce is used, an admin screen might generate a URL like this that trashes post number 123. You can see that the URL contains a nonce at the end: "
If anyone has a quick answer and can spare me waiting for my own conclusion, I'd appreciate it.

Kevin Lozandier · Accepted Answer

Hi, @Alain Kassabian (https://teamtreehouse.com/alainkassabian): In layman terms, HTTP (HyperText Transfer Protocol (http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol)) has various verbs defined browsers send & servers are supposed accommodate in a expected way to generally a variety of tasks. Usually this is directly on a resource. By convention, server-side code is to leverage these predefined verbs—like GET, POST, DELETE, & PUT—for clients to interact with the resources. This style has been known to be writing servers-die code that supports Representational State Transfers (REST (http://en.wikipedia.org/wiki/Representational_state_transfer)). In everyday work, developers are encouraged to continually write their back-end code in a "RESTFUL" way". By following these conventions, people can more quickly be able to consume the resource (articles, comments, and so on). Generally, an everyday user does nothing other than GET with an empty response body with such a request, while things like forms and so on explicitly change requests to use one of the other verbs and additional information in the response body to fulfill the request. An example of the latter would be a form that requests to change a single account a (PUT to http://example.com/accounts/kevinl) with a new password of 123 ({password: 123} ). Server-side code, if written in a RESTFUL way will update the password to 123 based on this information after validating the user as appropriate authentication & validation to make such a change¹ The code snippets below this sentence demonstrates: Nonetheless, there's nothing stopping a developer or a group of developers to perform something such an DELETE action from a GET request as a result of how they've written their code. This is often at the expensive of creating a less positive developer experience for developers/users of such a web application because it leads to unexpected behavior and research needed to get the results they were expecting. This is the case here as server-side code—in this case written w/ PHP to be integrated with the Wordpress framework—was written in a way to read the query values appended to the URL (action & del_once) to do a particular thing. Either way, a URL can delete a post—whether that follows conventions that HTTP deliberately created for particular things to happen for the response explicitly through HTTP verbs, or through a custom way of doing so a user has to learn through the documentation they (hopefully) provided is up to the server-side code corresponding to the URL of the request. Does this thoroughly answers your question? ¹: (usually done through a cookie, an additional hash/dictionary of values to use HTTP's built-in way of handling authentication server-side can use, or JSON Web Tokens).

Welcome to the Treehouse Community

Looking to learn something new?

Alain Dwight

Alain Dwight

PHP/Wordpress: How can a URL delete a post?

1 Answer

Kevin Lozandier

Kevin Lozandier

Kevin Lozandier

Kevin Lozandier

Alain Dwight

Alain Dwight