[wp-hackers] idea: no SQL in themes

Owen Winkler ringmaster at midnightcircus.com
Tue Nov 15 22:23:14 GMT 2005

John Joseph Bachir wrote:
> But for the theme-only case, right off the bat it seems like it would be 
> possible to restrict theme access to $wpdb, class wpdb, and 
> wp-config.php, by having them check for the path of the 
> calling/including file. I swear I have seen this done in PHP before... I 
> will investigate and get back.

I think the point is that even if you were able to unset $wpdb or make 
$wpdb unavailable to the theme and still have WordPress function, you 
could still do this:

mysql_query('TRUNCATE wp_posts');

This is a PHP function that you can't disable, and it's really a better 
attack than trusting to the WP database object.

Maybe it's better to spend this time educating users on verifying the 
safety of their themes.  I haven't seen any overtly malicious themes 
yet, have you?  I imagine a system will soon exist for obtaining peer 
reviews on themes, either via themes.wordpress.net or Elixir, which 
should quell this issue a bit.


More information about the wp-hackers mailing list