The best hook to use is still the query_string filter. Unfortunately, this specific filter is technically deprecated (and may be removed at some point). You’re supposed to use the request filter now. However, the request filter doesn’t seem to provide quite as much functionality as the query_string filter. Namely, there doesn’t appear to be a good way to check for is_home (which is important for our purposes).

<?php

/*
 * Plugin Name: Custom Hemingway Home Query
 * Plugin URI: http://moggy.laceous.com/2008/08/15/paging-hemingway-part-deux/
 * Description: Gives you the ability to use the paging links on your homepage (works with Hemingway and HemingwayEx)
 * Version: 0.2a
 * Author: moggy
 * Author URI: http://moggy.laceous.com
 */

add_filter('query_string', 'custom_hem_home_query');
function custom_hem_home_query($query_string) {
	global $wp_query;
	$wp_query->parse_query($query_string); //required in order to check is_home
	if ($wp_query->is_home) {
		if (strlen($query_string) > 0) {
			$query_string .= '&';
		}
		$query_string .= 'posts_per_page=2';
		global $hemingwayEx;
		if (isset($hemingwayEx)) {
			if (method_exists($hemingwayEx, 'get_asides_category_id')) {
				$category_id = $hemingwayEx->get_asides_category_id();
				if (!is_null($category_id) && !empty($category_id) && is_numeric($category_id)) {
					$query_string .= '&cat=-' . $category_id;
				}
			}
		}
	}
	return $query_string;
}

?>

An alternate way to do this would be to hook into the pre_get_posts action. Unfortunately, there’s a down-side here as well. Namely, if you create a new WP_Query object then this method might interfere with your new WP_Query instance (rather than just affecting the main loop). I ran into this very problem with my asides widget, and had to throw in a category check in the code below.

<?php

/*
 * Plugin Name: Custom Hemingway Home Query
 * Plugin URI: http://moggy.laceous.com/2008/08/15/paging-hemingway-part-deux/
 * Description: Gives you the ability to use the paging links on your homepage (works with Hemingway and HemingwayEx)
 * Version: 0.2b
 * Author: moggy
 * Author URI: http://moggy.laceous.com
 */

add_action('pre_get_posts', 'custom_hem_home_query', 1, 1);
function custom_hem_home_query($wp_query) {
	if (is_home()) { //at this point is_home is already set
		$wp_query->query_vars['posts_per_page'] = 2;
		//$wp_query->query['posts_per_page'] = 2; //only setting query_vars seems to matter
		if (isset($GLOBALS['hemingwayEx'])) {
			if (method_exists($GLOBALS['hemingwayEx'], 'get_asides_category_id')) {
				$category_id = $GLOBALS['hemingwayEx']->get_asides_category_id();
				if (!is_null($category_id) && !empty($category_id) && is_numeric($category_id)) {
					//check if the category has already been set
					//if I don't check this then it breaks my asides widget
					if (strlen($wp_query->query_vars['cat']) <= 0) {
						$wp_query->query_vars['cat'] = '-' . $category_id;
					}
				}
			}
		}
	}
}

?>

To get this to work you’ll still need to follow the 3 steps from my original post. Namely (that’s número tres for those of you counting along at home *wink wink*), copying the PHP code into a file (i.e. custom_hem_home_query.php) and uploading to your plugins folder (don’t forget to activate the plugin when you’re ready), commenting out the custom query in your theme’s index.php file (the query_posts line towards the top), and adding the paging links to your home page (also in your theme’s index.php file).

RESTfully designed web-services use POST, GET, PUT, and DELETE.

Behind the scenes a basic GET request looks like this:

GET /path/to/file.php HTTP/1.1
Host: www.domain.com

If you were to type this URL into your browser it would look like http://www.domain.com/path/to/file.php

Similarly, a POST to the same URL would look like this:

POST /path/to/file.php HTTP/1.1
Host: www.domain.com

(Note: For the purpose of these examples I’m leaving out other request headers such as User-Agent, Keep-Alive, Connection, etc. that you might normally see when using a web browser)

When you do a GET or POST you can also pass in variables. Consider a web page with a form that asks you to submit your first and last name.

The GET request might look like this:

GET /path/to/file.php?FirstName=John&LastName=Doe HTTP/1.1
Host: www.domain.com

As you can see, the variables are attached to the URL. In your browser this would look like http://www.domain.com/path/to/file.php?FirstName=John&LastName=Doe. These type of request variables are sometimes known as GET variables.

The POST version of this request would look like this:

POST /path/to/file.php HTTP/1.1
Host: www.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

FirstName=John&LastName=Doe

As you can see, the variables aren’t appended to the URL in a POST, but instead submitted following the request headers. Variables submitted in this way are sometimes known as POST variables. In this example I also set the Content-Length and Content-Type headers indicating that this POST was submitting name/value pairs. You can also submit other data via POST such as uploading a file (and you would want to set the Content-Type appropriately).

PHP has two superglobals called $_GET and $_POST. These arrays are automatically populated by PHP based on the request.

It should be noted that it’s technically possible to submit a POST request with both GET and POST-type variables.

POST /path/to/file.php?variable1=value1&variable2=value2 HTTP/1.1
Host: www.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

FirstName=John&LastName=Doe

In this case, $_GET would be populated with:

Array
(
    [variable1] => value1
    [variable2] => value2
)

And $_POST would be populated with:

Array
(
    [FirstName] => John
    [LastName] => Doe
)

Using A Custom Request Method
What happens if you want to create a RESTful web-service and submit a PUT request to a PHP page? What if you want to make up your own request method; how do you handle that with PHP?

Consider the following request:

MYMETHOD /path/to/file.php HTTP/1.1
Host: www.domain.com
Content-Length: 27

FirstName=John&LastName=Doe

In this example I’m submitting POST-style variables with my own made-up request method called MYMETHOD. I could just as easily substitute MYMETHOD with PUT. You can easily submit this type of request with a Firefox extension called RestTest. You can verify what is actually being sent with another extension called Live HTTP Headers.

(Note: Some servers may be locked down to only allow certain request methods. If you make a request with a method that’s not allowed then the server will respond back with a 405 Method Not Allowed error. A 405 response will include a response header letting you know which methods are allowed.)

If you don’t want to rely on the convenience of $_GET and $_POST then you can always parse out the raw data yourself.

• $_SERVER['QUERY_STRING'] is the raw version of $_GET
• php://input is the raw version of $_POST

You should never have to parse out the query string manually, but $_POST is only populated if the request method is POST and an appropriate Content-Type is set.

To get our raw MYMETHOD data we could do something like this:

if ($_SERVER['REQUEST_METHOD'] == 'MYMETHOD')
{
  $raw_data = file_get_contents('php://input');
}

We could then parse out the raw data into a $_MYMETHOD variable (to mimic $_GET and $_POST).

$array = explode('&', $raw_data);
foreach($array as $item)
{
  list($key, $value) = explode('=', $item);
  $_MYMETHOD[$key] = $value;
}

Putting It All Together
Besides using a tool like RestTest, we can also create a web page that submits a MYMETHOD request. We’ll do this by using some JavaScript and making an Ajax request with the XMLHttpRequest object.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'MYMETHOD' && strpos($_SERVER['CONTENT_TYPE'], 'application/x-javascript') !== FALSE):
  $raw_data = file_get_contents('php://input');
  $array = explode('&', $raw_data);
  foreach($array as $item)
  {
    list($key, $value) = explode('=', $item);
    $_MYMETHOD[$key] = $value;
  }
  print_r($_MYMETHOD);

else:
?>
<html>
<head>
<script type="text/javascript">
/**
 * Bridge XMLHTTP to XMLHttpRequest in pre-7.0 Internet Explorers
 */
if( typeof XMLHttpRequest == "undefined" )
  XMLHttpRequest = function() {
    try { return new ActiveXObject("Msxml2.XMLHTTP.6.0") } catch(e) {}
    try { return new ActiveXObject("Msxml2.XMLHTTP.3.0") } catch(e) {}
    try { return new ActiveXObject("Msxml2.XMLHTTP") }     catch(e) {}
    try { return new ActiveXObject("Microsoft.XMLHTTP") }  catch(e) {}
    throw new Error( "This browser does not support XMLHttpRequest or XMLHTTP." )
  };

function ajax(url, vars) {
  var request = new XMLHttpRequest();
  request.open("MYMETHOD", url, true);
  request.setRequestHeader("Content-Type", "application/x-javascript;");

  request.onreadystatechange = function() {
    if (request.readyState == 4 && request.status == 200) {
      if (request.responseText) {
        alert(request.responseText);
      }
    }
  };

  request.send(vars);
}
</script>
</head>
<body>

<input type="button" value="click for ajax" onclick="javascript:ajax('<?php echo $_SERVER['PHP_SELF']; ?>', 'FirstName=John&amp;LastName=Doe');" />

</body>
</html>
<?php endif; ?>

If you copy this into a PHP file (i.e. mymethod.php), upload it to a PHP-enabled web server, and navigate to it with your web browser you’ll see a button that says click for ajax. If you click the button, an asynchronous MYMETHOD request will be sent, the server will parse out the sent name/value pairs and send the processed data back to the browser. The user will then be presented with an alert popup containing the following text:

Array
(
    [FirstName] => John
    [LastName] => Doe
)

With the release of WordPress 2.5, passwords are now hashed up by phpass before entering the database. Further complicating the matter, phpass salts each password before hashing. This change effectively “breaks” Semisecure Login. Using a plugin, it’s possible to revert back to the md5 hashes, and Semisecure Login for WordPress 2.5 takes advantage of this.

On the other hand, I wanted to keep using the new phpass hashes and still provide a semisecure login environment. This thread details the difficulty in making this happen. There didn’t seem to be any way to use one-way hashing, and using standard secret-key encryption was out (for obvious reasons). The only thing that left me with was to try and use public-key encryption.

RSA is a popular public-key algorithm, and I was able to find a few implementations in both JavaScript and PHP. My main criteria in picking which implementation(s) to use were (1) interoperability between JavaScript and PHP, (2) efficiency, speed, and performance and (3) a solution that would work for most shared hosts. I ended up settling on the jsbn library for JavaScript and OpenSSL on the PHP side. Unfortunately, PHP’s built-in openssl functions are rather limited when it comes to generating RSA keypairs, so I had to rely on making calls directly against openssl when generating a keypair. This works great on a Linux server but is currently untested on Windows (although I have a feeling it would work as long as the folder where OpenSSL lives was added to the system path).

Download
You can download Semisecure Login Reimagined at its official Wordpress page. Additional information, such as installation instructions and changelog, are located there as well.

Requirements

• Wordpress: 2.1 to 2.5.1 (2.5.1 is the latest version at the time of this post)
• PHP: 4 or 5 (tested as far back as 4.4.6 and up to 5.2.6)
• OpenSSL (initial keypair generation is handled by direct calls, while decryption is handled by built-in PHP functions)

All tests were performed on various Linux servers. PHP’s program execution functions need to be enabled for the initial keypair generation (safe mode should also be disabled for this). After the keypair is generated, it’s safe to go ahead and re-disable these functions and/or re-enable safe mode. Everyday use of this plugin relies on PHP’s built-in openssl functions.

Update (6/13/08)
As of v1.1.0, keypair generation will work even if safe mode is enabled or the PHP execution fuctions have been disabled. This alternative keypair generation mode will only work if you’re running PHP 5.2.0 or greater, however.

AuthName "Folder Protection"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user

For help with generating a valid .htpasswd file, you can use a tool like Dynamic Drive’s .htaccess Password Generator. There are plenty of tutorials online that explain this process.

On the other hand, it’s much harder to find information about unprotecting a sub-folder of a folder that is protected in the manner specified above. Some posts I read implied that it wasn’t possible at all. I finally found the answer here and here. Basically, in the sub-folder you’re trying to unprotect, you simply need to create a new .htaccess file and add the following:

Satisfy Any