wp_kses and magic quotes in WordPress

In the wp_kses codex page it says:

You have to remove any slashes from PHP’s magic quotes before you call
this function.
Read More
Get rid of this Strict Standards warning
WooCommerce: get_current_screen not working with multi language
WordPress: Ajax not working to insert, query and result data

I am new(ish) to PHP and I wiki’d Magic Quotes and it was apparently recently deprecated/removed from the language. So is this something that I still have to worry about?

Post Views: 0

1 comment

WordPress is still adding slashes to data sent per POST, so yes, in some cases you might have to remove the slashes. There are two options:

Use stripslashes_deep( $value ). This function accepts an array, an object or a string and removes the slashes.
Get POST data per:
```
$data = file_get_contents( 'php://input' );
```
This takes the data from the raw input stream, a resource that cannot be changed (read-only), so it is not changed by WordPress too. This doesn’t work when the form was sent with enctype="multipart/form-data", eg. with file uploads.

Be aware stripslashes_deep() might ruin JSON encoded strings.

Magic quotes are not quotes, they are backslashes . They work like addslashes() and are applied on several places to incoming data. Backslashes are set before ', ", and the character NULL.

In WordPress there is a function add_magic_quotes() (wp-includes/functions.php). It runs on $_GET, $_POST, $_COOKIE and $_SERVER in wp-includes/load.php in the function wp_magic_quotes(), and on user/post data pulled from the database.

Comments are closed.

Related posts

1 comment

Social Network