[wp-hackers] wp-config.php, wp-load.php, and ABSPATH

Stephen Rider wp-hackers at striderweb.com
Wed Sep 9 21:35:20 UTC 2009


Hackers --

As of WP 2.6, users have been able to move the wp-config.php file up  
on directory if they choose.  In my opinion this was an excellent  
change, because it is the final piece in allowing users to completely  
remove customizations from within the WordPress directory.  (Allowing  
moving wp-config being a significant piece of the same process).

There is a remnant of the old system still in wp-config.php, the  
directive to create ABSPATH if it does not exist.  I'm not sure why  
this is there -- perhaps it is a holdover of a much older version of  
WP.  But if wp-config.php is movable, then this code is no longer  
stable, and it's *existence* has encouraged a poor coding practice  
among plugin authors.

A problem that arises is plugins that do sort of "stand alone" things  
but want to access the database -- a common thing to do is to call wp- 
config.php directly to get the login info, rather than wp-load.php.   
Again, this is unstable because wp-config.php may have moved, and even  
if the plugin correctly knows to look up a directory, it will get  
tripped up if it then tries to call another file and bases the path  
off of ABSPATH.

While plugin authors *can* just call wp-load.php, which is safer and  
more stable, it appears to be quite common to do it the other way.

Here is my proposal: We should assert, in documentation and in code,  
that any time a plugin or process wants to access parts of WP  
(including the database), it should call wp-load.php.  We should do  
this via changes within the Codex, and inline documentation, and we  
should also do this by eliminating the ABSPATH define() in wp- 
config.php.

At the very least, we should put a "deprecated" call with the define()  
in wp-config, so that if it does happen, there is a notice to the log  
that "You should not call wp-config.php directly.  Call wp-load.php  
instead."  Then a version or two down the road we can get rid of the  
troublesome define.

What think ye?

Stephen

P.S. -- Why yes, I do get troubleshooting questions about this.  Why  
do you ask?

-- 
Stephen Rider
http://striderweb.com/


More information about the wp-hackers mailing list