Support » Developing with WordPress » Why does WordPress slash $_POST data?

  • Having these two files in the root WP directory, opening them and submitting a form produces two different results, even though the second one is only including the WordPress.

    // post_test.php
    <?php $test = isset( $_POST[ 'test' ] ) ? $_POST[ 'test' ] : false; ?>
    <form method="POST">
      <textarea name="test"><?php echo $test ? $test : 'lol "test"'; ?></textarea>
      <input type="submit">
    </form>
    // post_test_wp.php
    <?php require_once 'wp-load.php'; ?>
    <?php require_once 'post_test.php'; ?>

    Basically, when we submit the post_test.php form resulting text field will contain the following text:

    lol "test";

    While post_test_wp.php will result in the following “slashed” values:

    lol \"test\";

    This will obviously break compatibility with 3rd party libraries that I maybe have to integrate with WordPress, and it’s just incredible that someone thought it’s a good idea to modify such an important global.

    I know that ship to fix that has sailed, as there are many plugins and code that “depend” on this behaviour now, but I’m interested if any WordPress historian maybe knows the reason why this was done in the first place, just as a piece of trivia.

    I’m assuming it was an attempt to “sanitize early” by some misguided soul, or to prevent SQL injections in some way.

    How close are my guesses? 😀

Viewing 2 replies - 1 through 2 (of 2 total)
  • WordPress doesn’t do that. PHP does it, because characters like ” are used for string delimiters, so if they aren’t escaped they’ll register as the start/end of a string.

    Any system that uses PHP will either expect this srot of escaping, or it will use something like stripslashes() before sending data to any “outside” systems.

    Thread Starter Maštarija

    (@mastarija)

    @catacaustic this is not true as evidenced by my example.

    EDIT:

    I’ve found the reason. It’s done for backwards compatibility with magicquotes. Basically, instead of demanding all plugins update their code, they have decided to slash all the data.

    A very regrettable decision.

    https://core.trac.ww.wp.xz.cn/ticket/18322

    • This reply was modified 2 years, 8 months ago by Maštarija.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Why does WordPress slash $_POST data?’ is closed to new replies.