Nov 11

I am writing a WordPress plugin called DiveBook that is a plugin for logging dives and view other logged dives. The main part of this plugin is the input form for logging dives and a view where users can search and view logged dives. I want the WordPress administrators using this plugin to be able to inject the plugin in posts or pages. This post describes how I achieved plugin injection to posts or pages.

I chose to enable injection of the plugin (and php in general) by adding a filter that is evaluating the content and looking for php executable code inside a defined bracket.

First I add the filter in top of my main php file (divebook.php). In the filter I hook the content to function filter_php_code

//Add filter to filter executable php code in content
add_filter('the_content', 'filter_php_code', 0);

In my filter_php_code function I run a regexp on the content placed between the bracket [divebook] [/divebook]. The function get_php_from_output_buffer will get the regexp matching values from the output buffer as executable php code.

function filter_php_code($filter_content){
	$filter_content = preg_replace_callback('/\[divebook\]((.|\n)*?)\[\/divebook\]/', 'get_php_from_output_buffer', $filter_content);
	return $filter_content;

function get_php_from_output_buffer($matches){
    try {
        eval('ob_start();'.$matches[1].'$php_output = ob_get_contents();ob_end_clean();');
    } catch (Exception $ex) {
    return $php_output;

By doing so all executable code placed inside [divebook] [/divebook] will be called. I will use the input form created for logging dives as an example for this (the form is far from completed but it will work as an example). The GUI and logic for the input form is places in a function called dive_inputform(). The function checks if the user is logged in, if the user is logged in the form will be displayed. If the user is not logged in info about registering and login will be displayed.

 * Description: Settings page for editing plugin settings.
 * Author: Per Ola Saether

function dive_inputform(){
    if ( is_user_logged_in() ) {
        //Show dive input form
    } else {
        //Show register/login info

function show_register_info(){
    <p>You must <a href="<?php bloginfo('url'); ?>/wp-login.php">log in</a> to be able to log dives.</p>
    <p>It is easy to <a href="<?php bloginfo('url'); ?>/wp-register.php">register</a> as a user.</p>

function show_dive_inputform(){
    global $current_user;
         <input type="text" name="diver" disabled="true" value="<?php echo $current_user->display_name?>"/>
         <input type="text" name="date"/>
         <label>Dive buddies</label>
         <input type="text" name="divebuddies"/>


The input form can now easily be injected to any page or post in WordPress by simply adding the code below in the page or post.


I added this code to a page and the result is that the form is displayed just the way I want.

I must admit that I am quite new to WordPress plugin development and php so there might be better ways to achieve this. I’m also not sure about how this will affect performance and what kind of security threats I might have opened for by doing this. I will have to investigate those parts a bit closer before I publish the plugin. Right now I will continue with the GUI and logic for the input form and search view.

Follow me on twitter @PerOla

Share & enjoy
You can subscribe to my comments feed to keep track of new comments.

1 Comment to “Injecting WordPress plugin in posts or pages”

  1. jim says:

    good stuff…. thanks for share….

3 Pingbacks to “Injecting WordPress plugin in posts or pages”

  1. […] le reste: Injecting WordPress plugin in posts or pages Articles […]

  2. […] Injecting WordPress plugin in posts or pages […]

  3. […] This post was mentioned on Twitter by Per Ola Sæther, ThemeZip. ThemeZip said: Injecting WordPress plugin in posts or pages […]

Leave a Reply

Subscribe to my comments feed

Subscribe to my feeds Follow me on Twitter