[wp-hackers] idea: no SQL in themes

Jeff Minard jeff at jrm.cc
Thu Nov 17 17:29:41 GMT 2005


John Joseph Bachir wrote:
> Well, a malicious person could distribute a theme that had
> 
>   $wpdb->query("TRUNCATE $wpdb->posts");
> 
> The chances of someone doing this and succeeding in convincing others to 
> install it are slim, but non-zero. As WordPress becomes more popular it 
> will become more of a threat.

The same could be said for plugins. Distribute a largely complicated 
piece of code that fetches weather info a sneak in a quick "truncate all 
tables" command and you've got the same problem.

The only real solution would be some kind of verification system for 
plugins/themes which, to put it lightly, would be a major pain in the ass.

For just themes we could switch to a template system, but this has been 
overly discussed and isn't likely to happen.

Jeff


More information about the wp-hackers mailing list