[wp-hackers] idea: no SQL in themes

John Joseph Bachir jjb at ibiblio.org
Tue Nov 15 22:11:39 GMT 2005

On Tue, 15 Nov 2005, Robert Deaton wrote:

> Without devising a fully tag-based templating system that would 
> inevitable force us to lose some of the power of templates due to the 
> lack of the ability to use real PHP, I'm afraid that blocking out SQL 
> is, to my knowledge, impossible without modification of php.ini.
> Even if $wpdb was not available, the standard mysql calls are, or 
> regular function calls are, in which case you could wrap functions in a 
> plugin that you ask to be bundled and execute it from there, or even 
> include another file that defines the functions. Heck, you could even 
> grab the values of the constants set in wp-config and open up your own 
> mysql connection. The odds of us being able to stop this are severly in 
> our disfavor.

It's true, a malicious theme distributer might ask the user to install a 
certain plugin. It would be hard to protect against that case.

But for the theme-only case, right off the bat it seems like it would be 
possible to restrict theme access to $wpdb, class wpdb, and wp-config.php, 
by having them check for the path of the calling/including file. I swear I 
have seen this done in PHP before... I will investigate and get back.


More information about the wp-hackers mailing list