WordPress and PHP magic quotes: you want to run me crazy!

Not understanding how WordPress manages the magic quotes of PHP (PHP is no more supporting magic quotes gpc from version 6, and when this version will be released we see a lot of sites hacked…) I followed the WordPress startup code.

The code is all in wp-settings.php. These my conclusions:

• $_REQUEST is redefined as a pure merge of $_GET and $_POST and can have or not magic quotes, to use it you need to check the “magic_quote_gpc()” function
• $_GET, $_POST, $_COOKIE and $_SERVER arrays are forced with escaped values so to have the real values you need to strip the slashes

The code below produces such effect:

if ( get_magic_quotes_gpc() ) {
$_GET    = stripslashes_deep($_GET   );
$_POST   = stripslashes_deep($_POST  );
$_COOKIE = stripslashes_deep($_COOKIE);
}

// Escape with wpdb.
$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

$_REQUEST is created before with:

$_REQUEST = array_merge($_GET, $_POST);

so we cannot be sure if it is escaped or not.

To strip slashes, WordPress has a function “stripslashes_deep($value)” which manages array type values.

Hence, to extract a POST or a GET parameter we have to write:

$value = stripslashes_deep($_POST['name']); or
$value = stripslashes_deep($_GET['name']);

The same thing when extractin cookie or server values.

Is that a definitive answer??? (if so my plugins need an update… I’ll start from Dynatags…)