With "Magic Quotes" Disabled, Why Does PHP/Wordpress Continue to Auto-Escape My Post Data

With magic quotes disabled, why does PHP/WordPress continue to auto-escape my POST data?

I think I found it. Problem (bug): http://core.trac.wordpress.org/ticket/18322

Solution: http://codex.wordpress.org/Function_Reference/stripslashes_deep

    $_GET       = array_map('stripslashes_deep', $_GET);
    $_POST      = array_map('stripslashes_deep', $_POST);
    $_COOKIE    = array_map('stripslashes_deep', $_COOKIE);
    $_SERVER    = array_map('stripslashes_deep', $_SERVER);
    $_REQUEST   = array_map('stripslashes_deep', $_REQUEST);

---

Note: As suggested by @Alexandar O'Mara, you might want to reconsider overwriting the superglobals like this. If it's appropriate for your situation, for example, you might just "strip locally" using an alternative like $post = array_map('stripslashes_deep', $_POST);

Also see @quickshiftin's excellent answer.

Get unescaped POST, not magic quoted values in WordPress

That looks like it should work fine. On the later part of the question I believe $wpdb->escape is deprecated, per the comment block

/**
 * Do not use, deprecated.
 *
 * Use esc_sql() or wpdb::prepare() instead.
 *
 * ...

Looking through the WordPress code to determine if wpdb::prepare expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<

It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.

PHP 7.2: HTTP Form Post, something is escaping single quotes with backslashes. Magic Quotes was dropped in 5.x

Thanks to everybody and especially @Phil, who pointed me to var_dump(file_get_contents('php://input'));

Even though PHP 7.2 doesn't have Magic Quotes, WordPress has their own magic_quotes implementation and is modifying the PHP _POST data in order to "help".

Even though I was writing plain PHP code using what I thought was the PHP form post data, I was actually being given a sanitized copy.

It turns out that WordPress is having sanity issues and can't decide if they want Magic Quotes on or off even though PHP removed the functionality from the language.

#18322. The Road to Magic Quotes Sanity

WordPress and magic quotes

Disabling magic quotes

On my project I use this:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

I put it in the runtime and it works.

I also know how to disable it via .htaccess.

php_flag magic_quotes_gpc off

I am sure these both work.

wordpress magic quotes by php code

at the end I have found this:

if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST ); 
}

to set at the begin of my page.

and it works.

thanks to all.

are some characters automatically escaped?

This is probably magic quotes in action. Disable them immediately and then follow the usual best practices to properly escape user-supplied input depending on what you are going to do with it.

Why Magic Quotes has been removed from PHP 5.4?

this is very well explained why the deprecated in manual by chao

Quoting comment of chao

The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous. Different types of content have different special chars and different ways of escaping them, and what works in one tends to have side effects elsewhere. Any sample code, here or anywhere else, that pretends to work like magic quotes --or does a similar conversion for HTML, SQL, or anything else for that matter -- is similarly wrongheaded and similarly dangerous.

Magic quotes are not for security. They never have been. It's a convenience thing -- they exist so a PHP noob can fumble along and eventually write some mysql queries that kinda work, without having to learn about escaping/quoting data properly. They prevent a few accidental syntax errors, as is their job. But they won't stop a malicious and semi-knowledgeable attacker from trashing the PHP noob's database. And that poor noob may never even know how or why his database is now gone, because magic quotes (or his spiffy "i'm gonna escape everything" function) gave him a false sense of security. He never had to learn how to really handle untrusted input.

also good read Wikipedia : Magic quotes Criticism

---

Related Topics