[wp-hackers] idea: no SQL in themes
Owen Winkler
ringmaster at midnightcircus.com
Tue Nov 15 22:23:14 GMT 2005
John Joseph Bachir wrote:
> But for the theme-only case, right off the bat it seems like it would be
> possible to restrict theme access to $wpdb, class wpdb, and
> wp-config.php, by having them check for the path of the
> calling/including file. I swear I have seen this done in PHP before... I
> will investigate and get back.
I think the point is that even if you were able to unset $wpdb or make
$wpdb unavailable to the theme and still have WordPress function, you
could still do this:
mysql_query('TRUNCATE wp_posts');
This is a PHP function that you can't disable, and it's really a better
attack than trusting to the WP database object.
Maybe it's better to spend this time educating users on verifying the
safety of their themes. I haven't seen any overtly malicious themes
yet, have you? I imagine a system will soon exist for obtaining peer
reviews on themes, either via themes.wordpress.net or Elixir, which
should quell this issue a bit.
Owen
More information about the wp-hackers
mailing list