Reputation: 647
What does wordpress do if magic quotes are turned off at server?
We recently upgraded to php 5.4.15, and it does not have magic quotes on as default. It was time :)
But it turns out wp is adding its own slashes to POST and everything, for its internal compatibility reasons.
Now in a lot of plugins, I had some sensible functions that would strip slashes IF they were added by php:
function POSTGET_stripslashes_all($forced=false)
{
if(!get_magic_quotes_gpc() and !get_magic_quotes_runtime()) if(!$forced) return;
....
But wp adds slashes regardless of php settings, So I ended up stripping slashes ALWAYS regardless of any settings. Problem is, what if user wanted to use literal slashes in its input?
How to bring some sense into this? I do not want to strip slashes always. How did you approach this? Do you just give up and strip everything when it comes to wp? Is there a nice rule of thumb that says where and where not wp slashes things?
Upvotes: 3
Views: 1628
Answers (1)
Reputation: 647
Well, I had to discover my own answer.
file: wp-settings.php > function wp_magic_quotes() is called.
- this file is almost included when wp is run, is included unconditionally by wp-config.php.
- the function call is before almost everything,
- BUT called after advanced-cache.php
- AND after action hook do_action( 'plugins_loaded' ).
the function itself:
function wp_magic_quotes() (is in file wp-includes/load.php)
{
if(get_magic_quotes_gpc()) strip_slashes()
adds slashes to POST, GET, COOKIES and SERVER, using add_magic_quotes()
}
so if you need to decide whether to strip slashes or not, use:
if(!get_magic_quotes_gpc() and !function_exists('wp_magic_quotes')) do_not_strip;
And here is the full form function:
function POSTGET_stripslashes_all($forced=false)
{
global $POSTGET_stripslashes_all_done;
if(!get_magic_quotes_gpc() and !function_exists('wp_magic_quotes')) if(!$forced) return;//wp check
if($POSTGET_stripslashes_all_done) return;
//stripslashes
if(is_array($_POST)) $_POST=POSTGET_stripslashes_deep($_POST,$forced);
if(is_array($_GET)) $_GET=POSTGET_stripslashes_deep($_GET,$forced);
if(is_array($_REQUEST)) $_REQUEST=POSTGET_stripslashes_deep($_REQUEST,$forced);
$POSTGET_stripslashes_all_done=true;
}
function POSTGET_stripslashes_deep($value,$forced=false)
{
global $POSTGET_stripslashes_all_done;
if(!get_magic_quotes_gpc() and !function_exists('wp_magic_quotes')) if(!$forced) return $value;
if($POSTGET_stripslashes_all_done) if(!$forced) return $value;
if(is_string($value)) return stripslashes($value);
if(is_array($value))
foreach($value as $name=>$val)
$value[$name]=POSTGET_stripslashes_deep($val,$forced);
return $value;
}
Upvotes: 4
Related Questions
- With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
- wordpress magic quotes by php code
- What are magic quotes runtime in PHP?
- How do I disable magic quotes on Wordpress
- When does filter_input() remove slashes of POST variables?
- PHP - magic quotes gpc and stripslashes question
- Can addslashes be bypassed when using utf and single quotes?
- Magic Quotes Off, Still Slashes
- magic_quotes off - can code break?
- Although magic_quotes are turned off still escaped strings?