[wp-hackers] idea: no SQL in themes
Jeff Minard
jeff at jrm.cc
Thu Nov 17 17:29:41 GMT 2005
John Joseph Bachir wrote:
> Well, a malicious person could distribute a theme that had
>
> $wpdb->query("TRUNCATE $wpdb->posts");
>
> The chances of someone doing this and succeeding in convincing others to
> install it are slim, but non-zero. As WordPress becomes more popular it
> will become more of a threat.
The same could be said for plugins. Distribute a largely complicated
piece of code that fetches weather info a sneak in a quick "truncate all
tables" command and you've got the same problem.
The only real solution would be some kind of verification system for
plugins/themes which, to put it lightly, would be a major pain in the ass.
For just themes we could switch to a template system, but this has been
overly discussed and isn't likely to happen.
Jeff
More information about the wp-hackers
mailing list