[wp-hackers] idea: no SQL in themes
John Joseph Bachir
jjb at ibiblio.org
Tue Nov 15 22:11:39 GMT 2005
On Tue, 15 Nov 2005, Robert Deaton wrote:
> Without devising a fully tag-based templating system that would
> inevitable force us to lose some of the power of templates due to the
> lack of the ability to use real PHP, I'm afraid that blocking out SQL
> is, to my knowledge, impossible without modification of php.ini.
> Even if $wpdb was not available, the standard mysql calls are, or
> regular function calls are, in which case you could wrap functions in a
> plugin that you ask to be bundled and execute it from there, or even
> include another file that defines the functions. Heck, you could even
> grab the values of the constants set in wp-config and open up your own
> mysql connection. The odds of us being able to stop this are severly in
> our disfavor.
It's true, a malicious theme distributer might ask the user to install a
certain plugin. It would be hard to protect against that case.
But for the theme-only case, right off the bat it seems like it would be
possible to restrict theme access to $wpdb, class wpdb, and wp-config.php,
by having them check for the path of the calling/including file. I swear I
have seen this done in PHP before... I will investigate and get back.
More information about the wp-hackers