[wp-hackers] idea: no SQL in themes

Ryan Boren ryan at boren.nu
Wed Nov 16 00:41:44 GMT 2005

On Tue, 2005-11-15 at 20:52 +0000, David House wrote:
> On 15/11/05, John Joseph Bachir <jjb at ibiblio.org> wrote:
> > What do people think of the idea of not allowing database calls in themes?
> > There would be an obvious security benefit, but also it would make it
> > easier for less geeky people to develop wordpress themes.
> I don't see any reason for positively banning SQL calls, but certainly
> providing a comprehensive API for all possible DB calls is a good
> idea.

Indeed.  Themes shouldn't use $wpdb directly.  We need to provide API
for them to use. Taking comments-popup.php as an example:

$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved = '1' ORDER BY

This could be replaced with something like

$commentstatus = $wpdb->get_row("SELECT comment_status, post_password
FROM $wpdb->posts WHERE ID = $id");

This should use get_post() so that the cache is used.


More information about the wp-hackers mailing list