WordPress and PHP magic quotes: you want to run me crazy!

June 19, 2009 7 Comments

Not understanding how WordPress manages the magic quotes of PHP (PHP is no more supporting magic quotes gpc from version 6, and when this version will be released we see a lot of sites hacked…) I followed the WordPress startup code.

The code is all in wp-settings.php. These my conclusions:

  • $_REQUEST is redefined as a pure merge of $_GET and $_POST and can have or not magic quotes, to use it you need to check the “magic_quote_gpc()” function
  • $_GET, $_POST, $_COOKIE and $_SERVER arrays are forced with escaped values so to have the real values you need to strip the slashes

The code below produces such effect:

if ( get_magic_quotes_gpc() ) {
$_GET    = stripslashes_deep($_GET   );
$_POST   = stripslashes_deep($_POST  );
$_COOKIE = stripslashes_deep($_COOKIE);
}

// Escape with wpdb.
$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

$_REQUEST is created before with:

$_REQUEST = array_merge($_GET, $_POST);

so we cannot be sure if it is escaped or not.

To strip slashes, WordPress has a function “stripslashes_deep($value)” which manages array type values.

Hence, to extract a POST or a GET parameter we have to write:

$value = stripslashes_deep($_POST['name']); or
$value = stripslashes_deep($_GET['name']);

The same thing when extractin cookie or server values.

Is that a definitive answer??? (if so my plugins need an update… I’ll start from Dynatags…)

My excuses for my bad english but it's the only way I have to communicate with you. Would you suggest a correction? Leave a comment, thank you!
Serious

7 Responses to “WordPress and PHP magic quotes: you want to run me crazy!”

  1. John R Reply June 22, 2010 at 10:19 pm

    Thanks for the article.

    I’d been wandering around the Codex site wondering why the hell slashes were getting added to all of my request data when I always work without magic_quotes on.

    I don’t even understand why this is happening – as even with adding slashes, SQL injection can still occur if the queries are not escaped with proper SQL escape functions.

    All this can really lead to is bad programming practice for the newer plugin developers as they will see data ‘escaped’ automatically and assume that it’s OK.

  2. Stefano Reply June 23, 2010 at 7:16 am

    I think wordpress guys decided to work this way to uniform the request format ove the so many php configuration worldwide.
    From php 6 magic quotes Are deprecate as i know

  3. Peter Reply January 8, 2011 at 4:29 pm

    Very useful indeed. I had a theme that a really like but found it was adding slashes into a particular field. And it turned it was the the Magic Quotes function, so I added the strip slashes to the theme and it worked!

    Sheesh. Something so simple, yet someone missed in creating the theme.

  4. Mark Barnes Reply April 29, 2011 at 5:12 pm

    This was driving me insane, too. Thanks for the post. Two corrections (presumably WordPress updates since you posted):

    The magic is now done in wp-includes/load.php

    $_REQUEST is created AFTER adding slashes, so is always escaped.

  5. Ryan Reply January 18, 2012 at 4:48 pm

    THANK YOU! I thought I was going insane.

Trackbacks/Pingbacks

  1. WordPress and Magic Quotes - August 30, 2010

    [...] is crazy, and based on a post called WordPress and PHP magic quotes: you want to run me crazy! by Stefano Lissa. I’m writing a plugin prototype for WordPress that uses the new Facebook [...]

Leave a Reply