[theme-reviewers] Alternative to eval()
Andrew Nacin
wp at andrewnacin.com
Fri Jul 1 06:23:57 UTC 2011
On Fri, Apr 29, 2011 at 10:00 AM, Rahul Bansal <rahul.bansal at rtcamp.com>wrote:
> So far, I believe, exploring eval() like alternative is not good idea.
> Though I will try create_function as suggested by Otto and see how it
> works.
>
Incredibly late reply on this, but I'd rather create_function() be banned
from themes. Arbitrary PHP is insecure -- especially user-inputted PHP --
and, keep in mind, it would make the theme insecure for multisite.
create_function() is just as dangerous as eval() or assert() or any other
arbitrary execution device, whether used incorrectly or maliciously.
Nacin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110701/13fc8ae2/attachment.htm>
More information about the theme-reviewers
mailing list