[wp-hackers] Enable Sending Referrers

Owen Winkler ringmaster at midnightcircus.com
Tue Aug 16 12:56:11 GMT 2005


Mark Jaquith wrote:
> I think a unique hash method might work nicely.  md5() the DB password + 
> post/comment ID.  What are the downsides to this method?

If it wasn't obvious, this method would also have the benefit of working 
from outside the admin for users that are logged in.

It might be beneficial for WordPress to provide a global server-unique 
hash instead of individually generating hashes from the database 
password for things like this, since the the database password should 
generally not be available after the wpdb object connects.  Sure, if 
malicious code is running on the server, the database password is easy 
to obtain, but there's no reason to make it easy to dump the database 
password onto the blog.  It would be easy to tuck an unobtrusive 
echo(DBPASS) into a theme, but harder to hide code that parses 
wp-config.php to produce the same output.

If WordPress created a hash from the database password (with salt), 
provided it to any core code/plugins for use in features like these, and 
unset the database password (or undefined it), then things might be a 
tad more secure.  And any little bit helps.

Owen


More information about the wp-hackers mailing list