is using stripslashes() in wordpress unsafe?

3 Views

when I create an input 

<input type="text" name="456" value="123">

and pass that data to another php site, WordPress automatically adds backslashes like:

Read More
"my text"

But I need the text in that following way: 

"my text".

And that is why I use the function before i further process the data: 

stripslashes()

Is that an unsafe solution against hacking? It is crucial to know since I send passwords over an API.

Post Views: 3

Related posts

Leave a Reply

3 comments

  1. For future readers, the previous answers are straight-up wrong. As per Ian‘s comment, WordPress enforces the equivalent of magic quotes internally to ensure consistent input, backwards compatibility, and to protect newbies from compromising WP installs. It’s a hangover from the bad old days™ when it was quite common for people to insert data directly into the database without any sanitising/validation, then write hacky workarounds only for the issues they witnessed rather than doing it properly.

    It is safe to use stripslashes() and stripslashes_deep() on your data, as long as you’re correctly passing any unescaped data through $wpdb->insert(), $wpdb->prepare(), etc. when saving it to the database. Never write unescaped data to the superglobals like $_POST which are expected to remain escaped, use a copy like $my_post = stripslashes_deep($_POST);. It is mostly expected that you will do unescaping yourself, which is why it used to be common to see a lot of backslashes littering WP content.

    This is completely separate to escaping for html output which should always be done on untrusted user input.

  2. It should be safe.

    According to http://fearlessflyer.com/getting-rid-of-unwanted-backslashes-in-wordpress-form-input/

    According to PHP.net: Magic Quotes are deprecated as of version 5.3 and will not be part of future versions.

    See: http://php.net/manual/en/security.magicquotes.disabling.php

    Quick answer
    Add this to your PHP:

    <?php 
if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );
}
?>

  3. I would guess that this is not WordPress but your installation of PHP having magic quotes enabled. You should modify your php.ini to disable magic quotes. Magic Quotes are EVIL!

    http://php.net/manual/en/security.magicquotes.disabling.php

    Magic Quotes are DEPRECATED as of PHP 5.3 and they are completely removed from PHP 5.4.

    UPDATE
    I’ve never heard of stripslashes being compromised. It’s a string on the way in, it’ll be a string with less slashes on the way out. So, if you can’t turn off magic quotes, then I would use stripslashes to remove the quotes from the $_POST, etc. If you’re worried about other plugins being affected by your removal of slashes (though I would be surprised), then you could do something like this:

    class Http {
    private $_instance;
    private $_post;
    private $_get;
    private $_cookie;
    private $_request;

    //singleton pattern to avoid parsing multiple times.
    public static function instance() {
        if( is_null($this->_instance) ) {
            $this->_instance = new self();
        }
        return $this->_instance;
    }
    private function __construct() {
        $isMagicQuotesOn    = get_magic_quotes_gpc();

        $this->_post        = $isMagicQuotesOn ? array_map( array($this,'removeMagic'), $_POST )    : $_POST;
        $this->_get         = $isMagicQuotesOn ? array_map( array($this,'removeMagic'), $_GET )     : $_GET);
        $this->_cookie      = $isMagicQuotesOn ? array_map( array($this,'removeMagic'), $_COOKIE )  : $_COOKIE;
        $this->_request     = $isMagicQuotesOn ? array_map( array($this,'removeMagic'), $_REQUEST ) : $_REQUEST;
    }
    public function removeMagic( $value ) {
        return is_array($value) ? array_map(array($this,'removeMagic'), $value) : stripslashes($value);
    }

    public function get( $var ) {
        return isset($this->_get[$var]) ? $this->_get[$var] : null;
    }
    public function post( $var ) {
        return isset($this->_post[$var]) ? $this->_post[$var] : null;
    }
    public function cookie( $var ) {
        return isset($this->_cookie[$var]) ? $this->_cookie[$var] : null;
    }
    public function request( $var ) {
        return isset($this->_request[$var]) ? $this->_request[$var] : null;
    }
}

    Then, you can access your vars as: Http::instance()->get('myvar');. Once you do this, then you just need to properly sanitize the input before you do SQL operations, mail() headers, etc., which is where injections would likely occur. For the DB, you should use something like mysql_real_escape_string (legacy) or Pdo::quote() (currently)…or better yet, only use prepared statements. These methods take the DB context and properly sanitize the data for THAT DB, which is much safer than addslashes for the same thing.

    Personally, I would rather disable magic quotes. But if you can’t do that, this approach should work.