[wp-hackers] Is WP_INSTALLING constant here to stay?

Dino Termini dino at duechiacchiere.it
Tue Jan 22 18:43:24 UTC 2013

Thank you, Andrew.
> I would avoid this. Here's but five reasons why:
> 1) I doubt it will be very clean to structure this file in such a way that
> you are able to globally including wp-load.php, and still benefit from
> having all of your Ajax handlers (those that need WP and those that do not)
> in one place. Wouldn't separating the two make more sense?

Perhaps it would, I will look into this.

> 2) If you don't need to load WP, do you even need PHP? Is JavaScript
> sufficient for processing your data? Just curious.

That's quite a strong statement: "PHP without Wordpress is nothing!" :) 
 From my point of view, there are still a few things that PHP can do 

> 3) I would generally discourage directly accessing a plugin's PHP files via
> HTTP. One security measure sometimes deployed is to blacklist such files
> from external access. A plugin following core WP's architecture for Ajax
> requests will be unaffected.

True, but again I think that loading the whole core would be overkill 
for what I need to do in most cases (just store the data I get from Ajax 
into a table)

> 4) WordPress core's Ajax handler prevents aggressive browser caching,
> blocks UTF-7 and content type sniffing vulnerabilities, side-steps robot
> crawling, allows cross-domain usage, lets other plugins interface with your
> plugin, and enables you to properly identify both authorization (access
> bypass vulnerabilities) and intention (cross-site request forgeries) using
> core API. Is your self-built Ajax handler equipped for any of these?

Probably not all of them...

> 5) If for some reason you do this, how are you actually locating
> wp-load.php? That's one of the most fundamental problems here. If you start
> to blindly traverse directories, you are ignoring that wp-content/plugins
> can be moved to pretty much anywhere else on the filesystem without issue.
> If you start doing things like ../wp-load.php, ../../wp-load.php,
> ../wordpress/wp-load.php, *you are doing it wrong*.

Users with weird configurations will create a 'config file' in 
wp-content which points to the right location. For what I understand, 
the relative position of /plugins/ and /wp-content/ never changes (the 
former always being inside the latter, that is). Looking for my 'config 
file' (and then searching in the usual places, if I can't find it) is 
quite straightforward.

I'm glad I sent my initial message, I'm getting a lot of good feedback.

Thank you.

More information about the wp-hackers mailing list