Home/ Questions/Q 7083771
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T07:13:09+00:00

It’s a simple question with a strangely elusive answer. get_magic_quotes_gpc() reports 0. I repeat,

  • 0

It’s a simple question with a strangely elusive answer.

get_magic_quotes_gpc() reports 0. I repeat, magic quotes are off. Magic quotes appear to have been disabled in php.ini (not at runtime).

Nevertheless, all POST data including single quotes (‘) is escaped when accessed in PHP. What could be causing this?

While preparing a test case, I discovered the general origin of the problem. We’re bootstrapping WordPress as our application integrates with a WordPress multisite installation. When I disable the WordPress bootstrapping, the auto-escaping is disabled. Where may WordPress’ auto-escape code be located?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think I found it. Problem (bug): http://core.trac.wordpress.org/ticket/18322

    Solution: http://codex.wordpress.org/Function_Reference/stripslashes_deep

        $_GET       = array_map('stripslashes_deep', $_GET);
    $_POST      = array_map('stripslashes_deep', $_POST);
    $_COOKIE    = array_map('stripslashes_deep', $_COOKIE);
    $_SERVER    = array_map('stripslashes_deep', $_SERVER);
    $_REQUEST   = array_map('stripslashes_deep', $_REQUEST);

    Note: As suggested by @Alexandar O’Mara, you might want to reconsider overwriting the superglobals like this. If it’s appropriate for your situation, for example, you might just “strip locally” using an alternative like $post = array_map('stripslashes_deep', $_POST);

    Also see @quickshiftin’s excellent answer.

    • 0