[theme-reviewers] $_SERVER data
Chip Bennett
chip at chipbennett.net
Sat Dec 24 13:53:28 UTC 2011
Lately, I've been seeing quite a few review comments indicating to remove
this code, due to security issues:
if ( !empty( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME>
)
&& 'comments.php' == basename(
$_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME>
)
)
die ( 'Please do not load this page directly. Thanks!' );
I don't believe that $_SERVER data used in this manner (i.e. as a
conditional query, with no data being saved to the DB or output) is a
security risk. What are your thoughts?
Chip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20111224/29843e04/attachment.htm>
More information about the theme-reviewers
mailing list