[wp-hackers] Page with only articles from category x.

Stephane Daury wordpress at tekartist.org
Thu Aug 30 03:12:10 GMT 2007


On Aug 29, 2007, at 13:19, Alex Polite wrote:

>> While these aren't necessarily the best use of them, IMO, if you want
>> to make a single Page that does PHP code, this is the best way.
>
>> PHPExec and runPHP and such should be avoided unless absolutely
>> necessary.
>
> For security reasons or?

Allowing PHP code in a page or post content (or any user-modifiable  
content) is begging for injection attacks, which is when someone  
finds a way to execute code on your server from the comfort of their  
web browser.

http://en.wikipedia.org/wiki/Code_injection

Never a good thing.

Imagine if I could pass the following command to your server?
<php echo file_get_contents('/etc/passwd').file_get_contents('/etc/ 
shadow'); ?>

Now I'd have access to your box withy the help of any widly available  
quick password cracker.
This is only compounded by the widespread use of non-SSL login by  
WordPress users.

Stephane


More information about the wp-hackers mailing list