With magic quotes disabled, why does PHP/WordPress continue to auto-escape my POST data?
I think I found it. Problem (bug): http://core.trac.wordpress.org/ticket/18322
Solution: http://codex.wordpress.org/Function_Reference/stripslashes_deep
$_GET = array_map('stripslashes_deep', $_GET);
$_POST = array_map('stripslashes_deep', $_POST);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_SERVER = array_map('stripslashes_deep', $_SERVER);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
Note: As suggested by @Alexandar O'Mara, you might want to reconsider overwriting the superglobals like this. If it's appropriate for your situation, for example, you might just "strip locally" using an alternative like $post = array_map('stripslashes_deep', $_POST);
Also see @quickshiftin's excellent answer.
Get unescaped POST, not magic quoted values in WordPress
That looks like it should work fine. On the later part of the question I believe $wpdb->escape
is deprecated, per the comment block
/**
* Do not use, deprecated.
*
* Use esc_sql() or wpdb::prepare() instead.
*
* ...
Looking through the WordPress code to determine if wpdb::prepare
expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<
It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.
PHP 7.2: HTTP Form Post, something is escaping single quotes with backslashes. Magic Quotes was dropped in 5.x
Thanks to everybody and especially @Phil, who pointed me to var_dump(file_get_contents('php://input'));
Even though PHP 7.2 doesn't have Magic Quotes, WordPress has their own magic_quotes implementation and is modifying the PHP _POST data in order to "help".
Even though I was writing plain PHP code using what I thought was the PHP form post data, I was actually being given a sanitized copy.
It turns out that WordPress is having sanity issues and can't decide if they want Magic Quotes on or off even though PHP removed the functionality from the language.
#18322. The Road to Magic Quotes Sanity
WordPress and magic quotes
Disabling magic quotes
On my project I use this:
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
I put it in the runtime and it works.
I also know how to disable it via .htaccess.
php_flag magic_quotes_gpc off
I am sure these both work.
wordpress magic quotes by php code
at the end I have found this:
if ( get_magic_quotes_gpc() ) {
$_POST = array_map( 'stripslashes_deep', $_POST );
$_GET = array_map( 'stripslashes_deep', $_GET );
$_COOKIE = array_map( 'stripslashes_deep', $_COOKIE );
$_REQUEST = array_map( 'stripslashes_deep', $_REQUEST );
}
to set at the begin of my page.
and it works.
thanks to all.
are some characters automatically escaped?
This is probably magic quotes in action. Disable them immediately and then follow the usual best practices to properly escape user-supplied input depending on what you are going to do with it.
Why Magic Quotes has been removed from PHP 5.4?
this is very well explained why the deprecated in manual by chao
Quoting comment of chao
The very reason magic quotes are deprecated is that a one-size-fits-all approach to escaping/quoting is wrongheaded and downright dangerous. Different types of content have different special chars and different ways of escaping them, and what works in one tends to have side effects elsewhere. Any sample code, here or anywhere else, that pretends to work like magic quotes --or does a similar conversion for HTML, SQL, or anything else for that matter -- is similarly wrongheaded and similarly dangerous.
Magic quotes are not for security. They never have been. It's a convenience thing -- they exist so a PHP noob can fumble along and eventually write some mysql queries that kinda work, without having to learn about escaping/quoting data properly. They prevent a few accidental syntax errors, as is their job. But they won't stop a malicious and semi-knowledgeable attacker from trashing the PHP noob's database. And that poor noob may never even know how or why his database is now gone, because magic quotes (or his spiffy "i'm gonna escape everything" function) gave him a false sense of security. He never had to learn how to really handle untrusted input.
also good read Wikipedia : Magic quotes Criticism
Related Topics
Access Controller Method from Another Controller in Laravel 5
Checking to See If One Array'S Elements Are in Another Array in PHP
Difference Between 2 Dates in Seconds
Insert - Number of Bind Variables Doesn't Match Number of Fields in Prepared Statement
How to Find Day of Week in PHP in a Specific Timezone
Cannot Modify Header Information - Headers Already Sent By... Wordpress Issue
How to Use a String as an Array Index Path to Retrieve a Value
PHP Mkdir: Permission Denied Problem
Twitter API Returns Error 215, Bad Authentication Data
Match A^N B^N C^N (E.G. "Aaabbbccc") Using Regular Expressions (Pcre)
How to Import a .SQL File in MySQL Database Using PHP
Can You Store a Function in a PHP Array
PHP-Intl Installation on Xampp
How to Re-Index the Values of an Array in PHP
PHP: How to Read a .Txt File from Ftp Server into a Variable