Why Is My WordPress POST Data Escaping Even After Disabling Magic Quotes?

Magic Quotes Conundrum in WordPress

Despite disabling PHP's magic quotes (verified by get_magic_quotes_gpc() returning 0), POST data is still being escaped. This issue arises when WordPress is integrated into a multisite installation.

WordPress's Role in Auto-Escaping

The cause of the auto-escaping lies within WordPress's codebase. A bug (ticket #18322) in WordPress attempts to sanitize input even when magic quotes are disabled. The solution is to explicitly strip slashes from input data manually, as suggested in the codex.

Stripping Slashes Deeply

To resolve the issue, deep-strip slashes from superglobal arrays ($_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST) using the stripslashes_deep() function:

<code class="php">$_GET       = array_map('stripslashes_deep', $_GET);
$_POST      = array_map('stripslashes_deep', $_POST);
$_COOKIE    = array_map('stripslashes_deep', $_COOKIE);
$_SERVER    = array_map('stripslashes_deep', $_SERVER);
$_REQUEST   = array_map('stripslashes_deep', $_REQUEST);</code>

Alternative Approach

Alternatively, consider using array_map() locally on specific arrays instead of overriding superglobals:

<code class="php">$post = array_map('stripslashes_deep', $_POST);</code>

Considerations

Modifying superglobals as shown above may have implications for your application. If the specific context allows, consider selective stripping to maintain data integrity. Consult the references provided for additional insights.

The above is the detailed content of Why Is My WordPress POST Data Escaping Even After Disabling Magic Quotes?. For more information, please follow other related articles on the PHP Chinese website!