Unveiling the Mysterious Auto-Escaping Post Data in PHP with Disabled Magic Quotes

When working with POST data in PHP, particularly within a WordPress environment, it's possible to encounter unexpected auto-escaping behaviors despite having magic quotes turned off. This perplexing issue arises when POST data undergoes automatic escaping, even though magic quotes are reportedly disabled (get_magic_quotes_gpc() returns 0).

WordPress's Influence

Upon delving deeper into the issue, it becomes apparent that WordPress plays a crucial role in triggering this auto-escaping mechanism. When WordPress is bootstrapped as part of your application's initialization process, its code interferes with the natural behavior of PHP's magic quotes.

WordPress includes functionality that intercepts request data, including POST data, and performs certain operations, one of which is escaping single quotes ('). This behavior extends even when magic quotes are disabled in php.ini.

The Source of the Bug

A closer examination of the WordPress codebase reveals a bug reported under the WordPress Core Trac system (ticket 18322). This issue relates to the incorrect handling of request data, which triggers unwanted escaping.

The Solution

Fortunately, a solution is available to resolve this auto-escaping dilemma. The WordPress Codex recommends using the stripslashes_deep() function to "un-escape" POST data before performing any operations on it. By employing this function, you can effectively override WordPress's auto-escaping and retrieve the data in its original format.

To implement this solution, add the following code to your PHP script:

$_GET       = array_map('stripslashes_deep', $_GET);
$_POST      = array_map('stripslashes_deep', $_POST);
$_COOKIE    = array_map('stripslashes_deep', $_COOKIE);
$_SERVER    = array_map('stripslashes_deep', $_SERVER);
$_REQUEST   = array_map('stripslashes_deep', $_REQUEST);

This code strips slashes from all superglobals, ensuring that POST data is not automatically escaped when accessed in PHP.