[wp-hackers] Enable Sending Referrers
Owen Winkler
ringmaster at midnightcircus.com
Tue Aug 16 12:56:11 GMT 2005
Mark Jaquith wrote:
> I think a unique hash method might work nicely. md5() the DB password +
> post/comment ID. What are the downsides to this method?
If it wasn't obvious, this method would also have the benefit of working
from outside the admin for users that are logged in.
It might be beneficial for WordPress to provide a global server-unique
hash instead of individually generating hashes from the database
password for things like this, since the the database password should
generally not be available after the wpdb object connects. Sure, if
malicious code is running on the server, the database password is easy
to obtain, but there's no reason to make it easy to dump the database
password onto the blog. It would be easy to tuck an unobtrusive
echo(DBPASS) into a theme, but harder to hide code that parses
wp-config.php to produce the same output.
If WordPress created a hash from the database password (with salt),
provided it to any core code/plugins for use in features like these, and
unset the database password (or undefined it), then things might be a
tad more secure. And any little bit helps.
Owen
More information about the wp-hackers
mailing list