Usually, you don’t need it. But … there is at least one edge case:
- If a theme file is a template part,
- and it is using global variables from the calling context (parent file),
- and register_globals is
on
, - and it is just using these variables without any security check …
… an attacker can call this file, set the missing variables with GET
or POST
and make the theme file print those out. And then there is a security problem.
So … the best option is not a context check like the one from your example, but good code: avoid global variables, check their content before you print it out.