[wp-hackers] Is WP_INSTALLING constant here to stay?
Dino Termini
dino at duechiacchiere.it
Tue Jan 22 18:43:24 UTC 2013
Thank you, Andrew.
> I would avoid this. Here's but five reasons why:
>
> 1) I doubt it will be very clean to structure this file in such a way that
> you are able to globally including wp-load.php, and still benefit from
> having all of your Ajax handlers (those that need WP and those that do not)
> in one place. Wouldn't separating the two make more sense?
Perhaps it would, I will look into this.
> 2) If you don't need to load WP, do you even need PHP? Is JavaScript
> sufficient for processing your data? Just curious.
That's quite a strong statement: "PHP without Wordpress is nothing!" :)
From my point of view, there are still a few things that PHP can do
directly...
> 3) I would generally discourage directly accessing a plugin's PHP files via
> HTTP. One security measure sometimes deployed is to blacklist such files
> from external access. A plugin following core WP's architecture for Ajax
> requests will be unaffected.
True, but again I think that loading the whole core would be overkill
for what I need to do in most cases (just store the data I get from Ajax
into a table)
> 4) WordPress core's Ajax handler prevents aggressive browser caching,
> blocks UTF-7 and content type sniffing vulnerabilities, side-steps robot
> crawling, allows cross-domain usage, lets other plugins interface with your
> plugin, and enables you to properly identify both authorization (access
> bypass vulnerabilities) and intention (cross-site request forgeries) using
> core API. Is your self-built Ajax handler equipped for any of these?
Probably not all of them...
> 5) If for some reason you do this, how are you actually locating
> wp-load.php? That's one of the most fundamental problems here. If you start
> to blindly traverse directories, you are ignoring that wp-content/plugins
> can be moved to pretty much anywhere else on the filesystem without issue.
> If you start doing things like ../wp-load.php, ../../wp-load.php,
> ../wordpress/wp-load.php, *you are doing it wrong*.
Users with weird configurations will create a 'config file' in
wp-content which points to the right location. For what I understand,
the relative position of /plugins/ and /wp-content/ never changes (the
former always being inside the latter, that is). Looking for my 'config
file' (and then searching in the usual places, if I can't find it) is
quite straightforward.
I'm glad I sent my initial message, I'm getting a lot of good feedback.
Thank you.
Dino
More information about the wp-hackers
mailing list