[wp-hackers] Security Vulnerability found - Forum Post

Matt Mullenweg m at mullenweg.com
Thu Apr 14 19:40:17 GMT 2005


Robert Deaton wrote:
> PHP has this nice feature for variables called unset. unset('varname') 
> and you don't have to worry about the rest of the script being able to 
> access it. Call unset on the variables right after the database 
> connection is established and then it guarantees that you can't access 
> them elsewhere (minus inside the wpdb class if they're stored there, and 
> if so, it could be made not to store them there and not lose any 
> functionality).

I think this is a very good idea, I wish we had had it before 1.0.
Unfortunately:

"Constants may not be redefined or undefined once they have been set;"

I don't want to break everyone's config files. Perhaps instead of 
including wp-config.php we can evaluate it and extract that data out 
instead, though that would be slower.

-- 
Matt Mullenweg
http://photomatt.net  | http://wordpress.org
http://pingomatic.com | http://cnet.com


More information about the wp-hackers mailing list