php - Submitting comments to Wordpress without SSL /OAuth

Solution:

Well you can just use nonces to avoid XSS attacks, other then that you will obviously need your users to be logged in. Here is a simple way to do that.

https://wordpress.org/support/topic/plugin-json-api-how-to-add-a-comment-or-post

EDIT: If you just need to be able to post the comment with their name and email address. Use it as below, but make sure you enable "Respond controller" from the api settings

http://yourwebsite.com/api/?json=submit_comment&post_id=170&name=Omer&[email protected]&content=comment
Copy code

2nd Edit: For securing the comments you can use nonces, if its not a built in functionality into the plugin you will have to add this functionality inside the submit_comment controller. But it would be a bit hard to generate the nonces from your android application though. A simple solution would be to wrap the existing code in a condition. Something like a base64 encoded time token.

if(isset($_GET['token'])){
  $token = base64_decode($_GET['token']);
  $current_time = time();
  $difference = round(abs($current_time - $token) / 60,2);//difference in minutes
  if($difference < 5){
      // Run the code thats already in submit_comment controller.
  }
}
Copy code

Then in the REST api you can send something like

http://yourwebsite.com/api/?json=submit_comment&post_id=170&name=Omer&[email protected]&content=comment&token=BASE64_ENCODED_TIMESTAMP
Copy code