[wp-hackers] Plugins using hardcoded table prefix

Mark Jaquith mark.wordpress at txfx.net
Mon Mar 21 08:58:26 GMT 2005

Dave Cohen wrote:

>Just a plea from someone who has to support many WP installs.  When
>creating a plugin, please don't hardcode the WP table prefix, rather
>get the configured value of the table prefix ($table_prefix) and build
>off of that.  Its a nice standard to use and I've seen a few times
>when someone blows away another's settings because of this.
The only reason I can think of that they'd need the $table_prefix is if 
they were creating a new table.  For accessing WP's built-in tables, 
they should be using these:

> // Table names
> $wpdb->posts            = $table_prefix . 'posts';
> $wpdb->users            = $table_prefix . 'users';
> $wpdb->categories       = $table_prefix . 'categories';
> $wpdb->post2cat         = $table_prefix . 'post2cat';
> $wpdb->comments         = $table_prefix . 'comments';
> $wpdb->links            = $table_prefix . 'links';
> $wpdb->linkcategories   = $table_prefix . 'linkcategories';
> $wpdb->options          = $table_prefix . 'options';
> $wpdb->postmeta         = $table_prefix . 'postmeta';

Hardcoding the prefix is a very amateurish mistake.  Maybe we should 
start WordPress University and require degrees before people can release 
their plugins into the wild.  :-)  Kidding of course, but it might not 
hurt for there to be a Codex page with "Known good plugin coders," not 
to imply that everyone else is trusted, but to lend more confidence to 
people using plugins from the people on the list.

Someone could also start a plugin review service, where they could do a 
quick scan for such dangerous things as hardcoded table names.

More information about the wp-hackers mailing list