[wp-hackers] Magic quotes "on" forever?

Olivier autremonde75 at gmail.com
Wed May 5 17:59:08 UTC 2010

I am having hard times to understand how magic quotes are handled
within WP...

Whatever I do with my server php.ini, I always get quotes (even if he
tells me magic quotes are "off" when I test with the

So I have been through the code and found the following from wp-
settings.php :
// If already slashed, strip.
  if ( get_magic_quotes_gpc() ) {
     $_GET    = stripslashes_deep($_GET   );
     $_POST   = stripslashes_deep($_POST  );
      $_COOKIE = stripslashes_deep($_COOKIE);

  // Escape with wpdb.
  $_GET    = add_magic_quotes($_GET   );
  $_POST   = add_magic_quotes($_POST  );
  $_COOKIE = add_magic_quotes($_COOKIE);
  $_SERVER = add_magic_quotes($_SERVER);

This piece of code makes me think if I understand it well that, in the
end, quotes are applied to all datas to make things consistant accross
hosts whatever the magic quotes setting is.

Can you please confirm that my understanding is right and so based on
that, I have to stripslashes_deep again all datas (without testing the
get_magic_quotes_gpc as quotes are always applied) before manipulation
(and then obviously use the prepare before DB insertion to escape
again the quotes)?

More information about the wp-hackers mailing list