1. It assumes that “register globals” is turned on by accessing the GET variables directly. PHP no longer ships with register globals turned on by default, and it may even be removed in the next version of PHP. You can pretty much assume that anyone on a shared host will not have access to these variables. Better to define these variables explicity before using them:

$url = $_GET[url];
$api_key = $_GET[api_key];
$person = $_GET[person];
$limit = $_GET[limit];
$tags = $_GET[tags];

2. It also assumes that fopen URL access is enabled. Many hosts such as dreamhost have disabled this feature for security reasons. Trying to access a remote file using get_file_contents will fail in this case. Luckily, most hosts that do this will compile PHP with cURL support. Here is an alternative to get_file contents using curl:

$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $mag_url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);

// display file
echo $file_contents;

Of course many homebrew versions of PHP don’t bother to include curl support, so maybe you want to include a check in your script that will try curl, and then fallback on get_file_contents if that fails?

Anyway, once I added these changes, the script worked fine (before, the XHR request failed, and no links were returned).

Something else I just noticed was that anyone who uses your plugin has their API key passed in plain text to and from the web browser. Correct me if I’m wrong, but wouldn’t this allow a malicious person to grab your API key to add/delete links to your ma.nolia bookmarks? Perhaps you should consider keeping the API key server side instead of passing it to the browser.

There’s still a bug in this where it has to match the URL exactly - if you look at my own installation, if you go to animejb.net instead of http://www.animejb.net it does the same thing. I have no idea how to fix it at the moment.