[wp-hackers] wordpress and addslashes

Haluk Karamete halukkaramete at gmail.com
Wed Aug 8 19:46:00 UTC 2012

I just noticed that in a standalone PHP page when I do

echo $_GET['x'];

I get "O'Reilly" when x is passed as "O'Reilly".

But when I load the wordpress code using define('WP_USE_THEMES', false),

I end up getting "O\'Reilly" for the same input. The ' is escaped by \'.

This tells me Wordpress does use "addslashes" automatically to all the
GET/POST/COOKIES super globals.

I'm just curious; Isn't the use of addslashes functionality being
discouraged by the more recent versions of PHP? Why does WP have it

And my second question is what should do plug in authors do? Apply
stripslashes? Are there any other undo's ( like addslashes to be
undone with stripslashes ) that I need to worry about when I read data
for my plug in code?

More information about the wp-hackers mailing list