[theme-reviewers] $_SERVER data

Chip Bennett chip at chipbennett.net
Sat Dec 24 13:53:28 UTC 2011

Lately, I've been seeing quite a few review comments indicating to remove
this code, due to security issues:

if ( !empty( $_SERVERSCRIPT_FILENAME?<http://themes.trac.wordpress.org/wiki/SCRIPT_FILENAME>
&& 'comments.php' == basename(

die ( 'Please do not load this page directly. Thanks!' );

I don't believe that $_SERVER data used in this manner (i.e. as a
conditional query, with no data being saved to the DB or output) is a
security risk. What are your thoughts?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20111224/29843e04/attachment.htm>

More information about the theme-reviewers mailing list