This snippet is a perfect case of a developer not considering what plugins might be doing with post meta. The snippet grabs all of the post meta attached to the current post and displays it, all of it. The only time meta isn’t displayed is if the meta key starts with an underscore (_), which means it is a hidden field, or if the key is “enclosure”.
This one had me pulling my hair our for a while. I found it while helping a user of one of my plugins out with a support request. The theme author included some custom post types and added some custom meta fields to those post types, all of which is perfectly fine. The problem, however, comes in with how the theme developer decided to process the saving of the meta fields.
This is a bit of a head scratcher. It’s one of those that makes you wonder what the original developer was thinking, and not because it does something really poorly but because it does something that is completely pointless.
This is not entirely bad code, rather more an example of doing something that is really unnecessary. The developer of this snippet wanted a way to create custom template files based on the post type that was displayed.
I’ve seen this quite a few times, and it drives me nuts every time.
This is horrible, not the code itself but what it does. Found in a theme, this little snippet was used to completely replace the default Page Template drop down in WordPress (replace, not add to).
This one is so dangerous it’s almost awesome.
$url = $_GET['url'];
$data = file_get_contents($url);
The code is blindly accepting anything that is posted via the url query parameter, making it possible for someone to inject just about any code they wished by simply passing it in the URL.
Submitted by Stephanie Leary.