The database prefix is NOT just to allow people to install multiple sites in one database (although that was what I intended when I wrote this 11 years ago).

It serves to ensure that the database table names are never known values which increases security slightly.

I am closing this as expected behaviour

Even post installation, you can remove the prefix from your configuration file and rename your tables, but there still remains a hardcoded default prefix in the database driver which in essence makes a prefix required when using our database code. Fully supporting non-prefixed tables at this point would be a B/C breaking behavior and the earliest a patch could be merged would be for 4.0.

I totally agree with your point that it's safer to use a separate database for every Joomla install (or other web applications). I would even add that it's also better from maintenance point of view.

IMHO forcing a table prefix is not a bug. What about looking from a security point of view to forcing table prefixes during installation?
First of all, a web application needs to be secured against SQL injections. But what if someone accidentally uses a 3rd party extension with an SQL vulnerability?
An unique table prefix makes it more difficult to exploit such vulnerabilities.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4482.

Ok, prorably it gains the security in some way...
But I still think it's a site administrator, who must decide whether or not use this feature. Otherwise it's an assumption that all of them a not smart enough to do such a decision.
(of course making a prefix by default for those who don't care is fine)

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4482.

If you want to submit a pull request to achieve this then I am sure it will
be considered.

On 8 October 2014 13:28, tot-to notifications@github.com wrote:

Ok, prorably it gains the security in some way...
But I still think it's a site administrator, who must decide whether or
not use this feature. Otherwise it's an assumption that all of them a not
smart enough to do such a decision.
(of course making a prefix by default for those who don't care is fine)

This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/4482
http://issues.joomla.org/tracker/joomla-cms/4482.

—
Reply to this email directly or view it on GitHub
#4482 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

The prefix field is randomly prefilled in the installation assistant. So you would have to manually delete the field value to even get that error. But why would you want to remove it in the first place? I wonder what the gain is if the prefix is removed.

Truthfully, there's no difference from a programming side whether you have the prefix or not if you can guarantee that only one application's tables will be in the database. Well, as long as everyone uses JDatabase and the #__ generic prefix effectively. From a security perspective, it randomizes the table names just a bit by generating a random string of characters to preface the table names with.

There are other database models out there that function just fine without a table prefix. From an API perspective, it shouldn't be an issue to allow un-prefixed tables. But, doing so potentially is a B/C break since JDatabaseDriver's constructor will set a default jos_ prefix to $this->tablePrefix if a prefix isn't provided through the options array, meaning our API is coded in a way that a prefix is always required.

Bakual, well, first of all, I didn't expect that this may require any significant changes and break the bakward compatibility. To me, as a user it looked like just setting one variable to an empty string.

In principle I just wanted to avoid prefix because I didn't see any improvment, while it makes table names to look ugly and not intuitive.

Of course if it requires more changes than one or two lines of code, it's not worth it.