WordPress and PHP magic quotes: you want to run me crazy!

Not understanding how WordPress manages the magic quotes of PHP (PHP is no more supporting magic quotes gpc from version 6, and when this version will be released we see a lot of sites hacked…) I followed the WordPress startup code.

The code is all in wp-settings.php. These my conclusions:

  • $_REQUEST is redefined as a pure merge of $_GET and $_POST and can have or not magic quotes, to use it you need to check the “magic_quote_gpc()” function
  • $_GET, $_POST, $_COOKIE and $_SERVER arrays are forced with escaped values so to have the real values you need to strip the slashes

The code below produces such effect:

if ( get_magic_quotes_gpc() ) {
$_GET    = stripslashes_deep($_GET   );
$_POST   = stripslashes_deep($_POST  );
$_COOKIE = stripslashes_deep($_COOKIE);
}

// Escape with wpdb.
$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

$_REQUEST is created before with:

$_REQUEST = array_merge($_GET, $_POST);

so we cannot be sure if it is escaped or not.

To strip slashes, WordPress has a function “stripslashes_deep($value)” which manages array type values.

Hence, to extract a POST or a GET parameter we have to write:

$value = stripslashes_deep($_POST[‘name’]); or
$value = stripslashes_deep($_GET[‘name’]);

The same thing when extractin cookie or server values.

Is that a definitive answer??? (if so my plugins need an update… I’ll start from Dynatags…)

My excuses for my bad english but it's the only way I have to communicate with you. Would you suggest a correction? Leave a comment, thank you!

7 thoughts to “WordPress and PHP magic quotes: you want to run me crazy!”

  1. magic_quotes_gpc is removed for good reasons. I understand that WordPress wants to be sure that data are always treated the same way, regardless of the system it is running on.

    However, if you want to properly escape your string for the database, you should use mysql_real_escape_string().

    Also, you would better do whitelist validation whereever possible.

    I stumbled upon this when I wanted to insert a BIT value into MySQL using a WordPress plugin that I am writing. I wanted to insert b’0′ or b’1′ and they came through as b\’0\’ and b\’1\’ , which doesn’t work.

  2. This was driving me insane, too. Thanks for the post. Two corrections (presumably WordPress updates since you posted):

    The magic is now done in wp-includes/load.php

    $_REQUEST is created AFTER adding slashes, so is always escaped.

  3. Very useful indeed. I had a theme that a really like but found it was adding slashes into a particular field. And it turned it was the the Magic Quotes function, so I added the strip slashes to the theme and it worked!

    Sheesh. Something so simple, yet someone missed in creating the theme.

  4. I think wordpress guys decided to work this way to uniform the request format ove the so many php configuration worldwide.
    From php 6 magic quotes Are deprecate as i know

  5. Thanks for the article.

    I’d been wandering around the Codex site wondering why the hell slashes were getting added to all of my request data when I always work without magic_quotes on.

    I don’t even understand why this is happening – as even with adding slashes, SQL injection can still occur if the queries are not escaped with proper SQL escape functions.

    All this can really lead to is bad programming practice for the newer plugin developers as they will see data ‘escaped’ automatically and assume that it’s OK.

Leave a Reply