In the wp_kses codex page it says:
You have to remove any slashes from PHP’s magic quotes before you call
this function.
I am new(ish) to PHP and I wiki’d Magic Quotes and it was apparently recently deprecated/removed from the language. So is this something that I still have to worry about?
WordPress is still adding slashes to data sent per POST, so yes, in some cases you might have to remove the slashes. There are two options:
stripslashes_deep( $value )
. This function accepts an array, an object or a string and removes the slashes.Get POST data per:
This takes the data from the raw input stream, a resource that cannot be changed (read-only), so it is not changed by WordPress too. This doesn’t work when the form was sent with
enctype="multipart/form-data"
, eg. with file uploads.Be aware
stripslashes_deep()
might ruin JSON encoded strings.Magic quotes are not quotes, they are backslashes
. They work like
addslashes()
and are applied on several places to incoming data. Backslashes are set before'
,"
,and the character
NULL
.In WordPress there is a function
add_magic_quotes()
(wp-includes/functions.php
). It runs on$_GET
,$_POST
,$_COOKIE
and$_SERVER
inwp-includes/load.php
in the functionwp_magic_quotes()
, and on user/post data pulled from the database.