[wp-hackers] idea: no SQL in themes

Robert Deaton false.hopes at gmail.com
Tue Nov 15 22:20:30 GMT 2005


Unless you plan on parsing the files beforehand, it can't be done, and
even then some minor obfuscation could get right around it. Moving to
a non-PHP templating system is the only way to avoid this.

On 11/15/05, John Joseph Bachir <jjb at ibiblio.org> wrote:
> On Tue, 15 Nov 2005, Robert Deaton wrote:
>
> > Without devising a fully tag-based templating system that would
> > inevitable force us to lose some of the power of templates due to the
> > lack of the ability to use real PHP, I'm afraid that blocking out SQL
> > is, to my knowledge, impossible without modification of php.ini.
> >
> > Even if $wpdb was not available, the standard mysql calls are, or
> > regular function calls are, in which case you could wrap functions in a
> > plugin that you ask to be bundled and execute it from there, or even
> > include another file that defines the functions. Heck, you could even
> > grab the values of the constants set in wp-config and open up your own
> > mysql connection. The odds of us being able to stop this are severly in
> > our disfavor.
>
> It's true, a malicious theme distributer might ask the user to install a
> certain plugin. It would be hard to protect against that case.
>
> But for the theme-only case, right off the bat it seems like it would be
> possible to restrict theme access to $wpdb, class wpdb, and wp-config.php,
> by having them check for the path of the calling/including file. I swear I
> have seen this done in PHP before... I will investigate and get back.
>
> John
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list