[theme-reviewers] $_SERVER data
Otto
otto at ottodestruct.com
Sat Dec 24 15:56:30 UTC 2011
On Sat, Dec 24, 2011 at 7:53 AM, Chip Bennett <chip at chipbennett.net> wrote:
> Lately, I've been seeing quite a few review comments indicating to remove
> this code, due to security issues:
>
> if ( !empty( $_SERVERSCRIPT_FILENAME? ) && 'comments.php' == basename(
> $_SERVERSCRIPT_FILENAME? ) )
>
> die ( 'Please do not load this page directly. Thanks!' );
>
>
> I don't believe that $_SERVER data used in this manner (i.e. as a
> conditional query, with no data being saved to the DB or output) is a
> security risk. What are your thoughts?
It's not a threat, but it is unnecessarily silly and complex. Here's a
quicker way to do much the same thing (only without the message):
if ( !defined('ABSPATH') ) die;
-Otto
More information about the theme-reviewers
mailing list