WordPress and magic quotes

The question:

I’ve been writing some WordPress plugins, and I’ve been having some problem with WordPress putting magic quotes on POST and GET data.

Specifically, the “wp_magic_quotes” function in wp-includesload.php, which is called (presumably on every response) in wp-settings.php. This function adds magic quotes to the data even if I turn off magic quotes in PHP settings.

 * Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
 * Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
 * or $_ENV are needed, use those superglobals directly.
 * @access private
 * @since 3.0.0
function wp_magic_quotes() {
    // If already slashed, strip.
    if ( get_magic_quotes_gpc() ) {
        $_GET    = stripslashes_deep( $_GET    );
        $_POST   = stripslashes_deep( $_POST   );
        $_COOKIE = stripslashes_deep( $_COOKIE );

    // Escape with wpdb.
    $_GET    = add_magic_quotes( $_GET    );
    $_POST   = add_magic_quotes( $_POST   );
    $_COOKIE = add_magic_quotes( $_COOKIE );
    $_SERVER = add_magic_quotes( $_SERVER );

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );

Is it safe for me to just comment out the wp_magic_quotes() call in wp-settings.php? That is, will it negatively affect the normal WordPress code and/or open up some exploitation vector? If so, is there some other way to do it besides modifying WP code (so I don’t have to deal with this every time there’s an update)?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Simply put WP turns indeterminate situation (magic quotes might or might not be enabled in server configuration) into determinate (magic quotes are always present and server configuration does not matter).

Rather than messing with this for all WP core it makes much more sense to simply strip slashes in your code on your own variables, when you need that.

Method 2

The current behavior in WordPress is best practice based on the compatibility of all PHP systems and configurations. WordPress has always normalized $_GET, $_POST, $_COOKIE, and $_SERVER to be slashed, and expect that it will continue to do so.

So, to extract a POST or a GET parameter we have to write:

$value = stripslashes_deep($_POST['name']); or

$value = stripslashes_deep($_GET['name']);

Method 3

I think the following links might help:

Method 4

I wrote a solution for dealing with these superglobal arrays in a similar question in Stack Overflow.

It consists of writing one single “accessor method” (get/set) for each superglobal, slashing and stripping transparently. So you’d use, for instance:

echo _get('username');    // echo stripslashes_deep($_GET['username']);
_cookie('name', 'value'); // $_COOKIE['name'] = addslashes_deep('value');

This way you can refrain from messing even further with the superglobals and enjoy a solution that will work “locally” for your code, without any side effects. For me, it was the ultimate solution.

Method 5

I recently had this problem, and I finally figured it out. I was basically searching almost every website on magic quotes on WordPress and none of them helped.

This is how to fix it:

  1. Go into your wp-settings.php

  2. Search for wp_magic_quotes();

  3. Just comment it out and it should work now

This works because if you look before that code you’ll see:

// Disable magic quotes at runtime. Magic quotes are added using wpdb later in //wp-settings.php.

@ini_set( 'magic_quotes_runtime', 0 );
@ini_set( 'magic_quotes_sybase',  0 );

That Magic quotes that is added later on using wpdb is what is messing most people up, and it happens to be wp_magic_quotes(). Just commenting that out will prevent magic quotes from messing you up.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment