Why Are $_Post Variables Getting Escaped in PHP

Escaping PHP GET and POST values

Well, it's bad for the same way magic_quotes_gpc is bad. It's magic and will escape everything, whether you want it to or not. Instead, handle the escaping where it's used, and you can change things without any problem. So:

function post($key) {
    if(array_key_exists($key, $_POST)) {
        return $_POST[$key];
    }

    return false;
}

And do your escaping where it's needed. Otherwise, things can look strange, and unescaping them will defeat the point. Consider this; I input my last name, O'Hara, in a textbox. You want to echo it back, but you fetch it using getPost. Here's what I get back:

O\'Hara

Did you htmlspecialchars it again? Well, then I get:

O\'ara

or something. This happens to me a lot and it's incredibly annoying - please don't do it.

Why are $_POST variables getting escaped in PHP?

You probably have magic quotes enabled on the Linux server: magic_quotes

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.

They're a good thing to disable, as they are going to be removed from PHP 6 onwards anyway. ~~You should also be able to disable them inside your script: set-magic-quotes-runtime~~ You can't deactivate the part of magic_quotes responsible for escaping POST data during runtime. If you can, disable it in php.ini. If you can't do that, do a check whether the magic_quotes are enabled, and do a stripslashes() on any content you fetch from POST:

if (get_magic_quotes_gpc())  
 $my_post_var = stripslashes($_POST["my_post_var"]);

Escaping $_POST to variables

I apologize - I must have been asleep this morning. This is something we should have caught earlier.

There were actually two problems in your original code:

Since you're using the mysqli_* functions, you need to use mysqli_real_escape_string() instead of the mysql_real_escape_string() that was originally in your question. You've already corrected this in the question, but it probably led to us overlooking the second problem.
mysqli_real_escape_string() takes different arguments than mysql_escape_string(), and the first argument needs to be a connection identifier. If you change your code to this, it should work:
```
$order = mysqli_real_escape_string($con, $order);
$heading = mysqli_real_escape_string($con, $heading);
$content = mysqli_real_escape_string($con, $content);
```

As many of the comments pointed out, you may also want to look into using prepared statements instead.

While the code that you have is now secure from SQL injection, the advantage of prepared statements is that escaping is built in automatically and you don't have to remember to escape your variables every time you do a query.

Escape characters inside $_POST

Please notice that your $_POST array is inside the query. Correct syntax:

for ($x = 0; $x < $counter; $x++) {
    if ($x)
        $p .= ',';

    $p.="('','$code','" . htmlspecialchars($_POST["check".$x], ENT_QUOTES) . "','" . htmlspecialchars($_POST["procedure".$x], ENT_QUOTES) . "')";
}

I have added htmlspecialchars func to sanitize variables before sending them to SQL server - this will prevent some possible SQL injection. Please read this to do it best way:

How can I prevent SQL injection in PHP?

PHP 5.3 automatically escapes $_GET/$_POST from form strings?

This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

The official php manual includes a neat way to undo it in php code, but you should just turn it off.

my GET variable is being escaped?

It's called "magic quotes".

Yii2: How to stop yii2 from escaping $_POST variables?

My bad. Yii doesn't change $_POST. And magic quotes are disabled.

The reason $_POST variables are escaped is because in my yii app I'm loading Wordpress wp-load.php and it is Wordpress who changed $_POST.

It is done in wp-settings.php by calling wp_magic_quotes() function. To avoid this I remember contents of $_GET, $_POST, $_REQUEST, $_COOKIE and $_SERVER, then load wp-load.php, cache all data I need from WP and revert back.

Thanks for your comments!

PHP 7.2: HTTP Form Post, something is escaping single quotes with backslashes. Magic Quotes was dropped in 5.x

Thanks to everybody and especially @Phil, who pointed me to var_dump(file_get_contents('php://input'));

Even though PHP 7.2 doesn't have Magic Quotes, WordPress has their own magic_quotes implementation and is modifying the PHP _POST data in order to "help".

Even though I was writing plain PHP code using what I thought was the PHP form post data, I was actually being given a sanitized copy.

It turns out that WordPress is having sanity issues and can't decide if they want Magic Quotes on or off even though PHP removed the functionality from the language.

#18322. The Road to Magic Quotes Sanity

WordPress and magic quotes