Integrated WordPress adding slashes to POST data (Magic Quotes)


I’ve just encountered an issue with WordPress integration into WishForThis that I thought was worth mentioning. It’s in relation to Magic Quotes – PHP’s now defunct (well, from PHP 5.3.0 onwards) system for protecting new coders of PHP from the perils of SQL injection.

Magic Quotes

Magic Quotes is PHP’s system of automatically adding slashes to all GET, POST and COOKIE (GPC) data to make sure if it’s added to a database that it’s already escaped to prevent SQL being injected into queries. There’s a lot of debate on the internet about it with the result being that most (including myself) hate it, to the point that it’ll no longer be included from PHP 5.3.0 onwards.

Removing Magic Quotes

First of all, Magic Quotes can be disabled in your ‘php.ini’ file with the line: ‘magic_quotes_gpc = Off’. It cannot, however, be disabled at run-time using the ‘ini_set()’ command. It’s also possible to disable it from ‘.htaccess’ with the line: ‘php_flag magic_quotes_gpc Off’

In code, it’s easy to sanitize incoming GPC data by using the following function:

// Sanitize Magic Quotes data
function Sanitize( $szString )
	return ( get_magic_quotes_gpc() ? stripslashes( $szString ) : $szString );

This may be necessary if you’re on shared hosting, or for some reason don’t have access to your PHP configuration. It’s certainly a sensible thing to account for if you’re using a pre 5.3.0 version of PHP.

WordPress and Magic Quotes

WordPress for some, I’m sure it was sensible at the time, reason decided to add their own Magic Quotes-esq system. ‘wp-settings.php’ contains the line ‘wp_magic_quotes();’ which basically ensures that all incoming GPC data is escaped, regardless of your Magic Quotes settings. The problem with this? If, like me, you don’t base your site around WordPress but instead integrate it into particular pages it means _ALL_ of your GPC data after including WordPress is escaped!

Rant Over.

Posted in Coding, Web | Tagged , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

> Talk to me!

Twitter profile for Richard Turnbullwitter:
  • Attempting to load Twitter feed..
Facebook profile for Richard Turnbull LinkedIn profile for Richard Turnbull

> Tools

Share |

> Advert