Title: Why does WordPress slash $_POST data?
Last modified: July 7, 2021

---

# Why does WordPress slash $_POST data?

 *  [Maštarija](https://wordpress.org/support/users/mastarija/)
 * (@mastarija)
 * [4 years, 10 months ago](https://wordpress.org/support/topic/why-does-wordpress-slash-_post-data/)
 * Having these two files in the root WP directory, opening them and submitting 
   a form produces two different results, even though the second one is only including
   the WordPress.
 *     ```
       // post_test.php
       <?php $test = isset( $_POST[ 'test' ] ) ? $_POST[ 'test' ] : false; ?>
       <form method="POST">
         <textarea name="test"><?php echo $test ? $test : 'lol "test"'; ?></textarea>
         <input type="submit">
       </form>
       ```
   
 *     ```
       // post_test_wp.php
       <?php require_once 'wp-load.php'; ?>
       <?php require_once 'post_test.php'; ?>
       ```
   
 * Basically, when we submit the `post_test.php` form resulting text field will 
   contain the following text:
 * `lol "test";`
 * While `post_test_wp.php` will result in the following “slashed” values:
 * `lol \"test\";`
 * This will obviously break compatibility with 3rd party libraries that I maybe
   have to integrate with WordPress, and it’s just incredible that someone thought
   it’s a good idea to modify such an important global.
 * I know that ship to fix that has sailed, as there are many plugins and code that“
   depend” on this behaviour now, but I’m interested if any WordPress historian 
   maybe knows the reason why this was done in the first place, just as a piece 
   of trivia.
 * I’m assuming it was an attempt to “sanitize early” by some misguided soul, or
   to prevent SQL injections in some way.
 * How close are my guesses? 😀

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [catacaustic](https://wordpress.org/support/users/catacaustic/)
 * (@catacaustic)
 * [4 years, 10 months ago](https://wordpress.org/support/topic/why-does-wordpress-slash-_post-data/#post-14637380)
 * WordPress doesn’t do that. PHP does it, because characters like ” are used for
   string delimiters, so if they aren’t escaped they’ll register as the start/end
   of a string.
 * Any system that uses PHP will either expect this srot of escaping, or it will
   use something like stripslashes() before sending data to any “outside” systems.
 *  Thread Starter [Maštarija](https://wordpress.org/support/users/mastarija/)
 * (@mastarija)
 * [4 years, 10 months ago](https://wordpress.org/support/topic/why-does-wordpress-slash-_post-data/#post-14638072)
 * [@catacaustic](https://wordpress.org/support/users/catacaustic/) this is not 
   true as evidenced by my example.
 * EDIT:
 * I’ve found the reason. It’s done for backwards compatibility with magicquotes.
   Basically, instead of demanding all plugins update their code, they have decided
   to slash all the data.
 * A very regrettable decision.
 * [https://core.trac.wordpress.org/ticket/18322](https://core.trac.wordpress.org/ticket/18322)
    -  This reply was modified 4 years, 10 months ago by [Maštarija](https://wordpress.org/support/users/mastarija/).

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Why does WordPress slash $_POST data?’ is closed to new replies.

## Tags

 * [post](https://wordpress.org/support/topic-tag/post/)
 * [sanitize](https://wordpress.org/support/topic-tag/sanitize/)
 * [slash](https://wordpress.org/support/topic-tag/slash/)
 * [Why](https://wordpress.org/support/topic-tag/why/)

 * In: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
 * 2 replies
 * 2 participants
 * Last reply from: [Maštarija](https://wordpress.org/support/users/mastarija/)
 * Last activity: [4 years, 10 months ago](https://wordpress.org/support/topic/why-does-wordpress-slash-_post-data/#post-14638072)
 * Status: not a support question

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics