Recruiting system

This support ticket is created 6 years, 5 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	8:00 – 12:00	-	-
13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	13:00 – 17:00	-	-

Supporter timezone: America/New_York (GMT-04:00)

Tagged: Access plugin, Custom roles, Displaying post relationships, Forms with post relationships, Paginated lists, Setting up custom fields, Setting up custom taxonomy, Setting up custom types, Setting up post relationship, Toolset Forms, Types plugin, User-registration forms, Views, Views plugin

This topic contains 1 reply, has 2 voices.

Last updated by Christian Cox 6 years, 5 months ago.

Assisted by: Christian Cox.

Author

Posts

November 13, 2017 at 3:27 pm #589176

Robert

Hi Guys,

I am trying to build a recruiting system and i wonder if that's possible with your software. I am thinking about asking the user to login, and the display in the back end a post-type called profile so they can fill the profile with info and keep it as a post type.

The question is the following, is there anyway for them to hack the site from the backend? Like SQL injection or XSS.

And if you know any examples of sites that are already doing something similar with your software, please tell me some, so i can see how they done it.

Thank you !

November 13, 2017 at 8:20 pm #589254

Christian Cox

The question is the following, is there anyway for them to hack the site from the backend? Like SQL injection or XSS.
You're protected from SQL injection or XSS by WordPress's native security features, which are not bypassed by Toolset. That's not to say WordPress is foolproof. This vulnerability was pretty recent, but has been patched in the latest release:
hidden link

I would recommend using CRED instead of allowing your registered Users access to the back-end of the site. CRED has built-in SQL injection and XSS prevention, and can be used on the front-end of the site to manage any post type, or even a user's own WP account profile. You can use a CRED form to allow Users to register on your site, then use a bit of custom code that creates a Profile post automatically when that form is submitted (assuming you truly want a Profile post type). Use another CRED form to allow Users to modify their Profile post from the front-end of the site.

This can be a little tricky because you then have User data stored in two separate locations - some in the Profile post, and some in the User's WordPress profile. If you want to give the User the ability to change their login credentials, they wouldn't be able to do that with a Profile CRED form. That would require a User CRED form, or some very custom code. If you don't absolutely need a Profile post type for some other reason, I would try to accomplish everything in the User's WordPress profile for simplicity. One drawback to this approach is that you don't get the benefits of a custom post type, like a single post page created automatically for you on the front-end. So you'll have to weigh the options here. Let me know if you have additional questions.

Here's another ticket that discusses automatic post creation upon registration:
https://toolset.com/forums/topic/automatic-post-creation-on-registration/

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.