I’ve been writing some WordPress plugins, and I’ve been having some problem with WordPress putting magic quotes on POST and GET data.
Specifically, the “wp_magic_quotes” function in \wp-includes\load.php, which is called (presumably on every response) in wp-settings.php. This function adds magic quotes to the data even if I turn off magic quotes in PHP settings.
/**
* Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
*
* Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
* or $_ENV are needed, use those superglobals directly.
*
* @access private
* @since 3.0.0
*/
function wp_magic_quotes() {
// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep( $_GET );
$_POST = stripslashes_deep( $_POST );
$_COOKIE = stripslashes_deep( $_COOKIE );
}
// Escape with wpdb.
$_GET = add_magic_quotes( $_GET );
$_POST = add_magic_quotes( $_POST );
$_COOKIE = add_magic_quotes( $_COOKIE );
$_SERVER = add_magic_quotes( $_SERVER );
// Force REQUEST to be GET + POST.
$_REQUEST = array_merge( $_GET, $_POST );
}
Is it safe for me to just comment out the wp_magic_quotes() call in wp-settings.php? That is, will it negatively affect the normal WordPress code and/or open up some exploitation vector? If so, is there some other way to do it besides modifying WP code (so I don’t have to deal with this every time there’s an update)?
Simply put WP turns indeterminate situation (magic quotes might or might not be enabled in server configuration) into determinate (magic quotes are always present and server configuration does not matter).
Rather than messing with this for all WP core it makes much more sense to simply strip slashes in your code on your own variables, when you need that.