[wp-hackers] Changeset 11804

Chris Jean gaarai at gaarai.com
Tue Aug 11 19:32:33 UTC 2009

The code actually has that exact test in it. wp-login.php line 190-191:

    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));

What it's not doing is a check for an array, which is why this works. So
not only do you have to validate, you have to type check.

Chris Jean

Otto wrote:
> Ahhh. Well, in that case it makes more sense to simply disallow blank
> activation keys to be passed into the function then. Validate your
> inputs.
> if empty($key) die "don't hack me you bastard"; // or similar ;)
> Yes, you can force user confirmation as well, but that's not really
> solving the problem at hand, just adding another uniqueness test to
> find the correct user to reset the password for.
> -Otto
> Sent from Memphis, TN, United States

More information about the wp-hackers mailing list