I’ve been developing a Wordpress plugin and something has been puzzling me… No matter what the magic_quotes_gpc directive is set to, strings still get escaped automatically. Here’s an example:
<?php
/*
Plugin Name: Test
Plugin URI: http://www.kirupa.com
Description: Example plugin.
Author: ZephyrWest
Version: 0.1
Author URI: http://jlao.wordpress.com
*/
function asdf_add_menus() {
add_management_page('asdf', 'asdf', 8, 'asdf', 'asdf_add_menu');
}
add_action('admin_menu', 'asdf_add_menus');
function asdf_add_menu() {
echo '<div class="wrap">';
if( isset($_POST['submitme']) ) {
echo $_POST['stuff'];
}
echo '
<form method="post">
<input type="text" name="stuff" />
<span class="submit"><input type="submit" name="submitme" value="submit" /></span>
</form>';
echo "magic_quotes_gpc: ";
echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';
echo '</div>';
}
?>
I ran the plugin multiple times with magic_quotes_gpc set to “On” and “Off” and in both cases, the string entered was escaped! And yes, I did restart Apache and PHP. To make sure, I wrote another script (non-Wordpress plugin) to test it out:
<html>
<head>
<title>Untitled Document</title>
</head>
<body onload="getElementById(stuff).focus()">
<?php
if(isset($_POST['push_me'])) {
echo '<p>' . $_POST['stuff'] . '</p>';
}
?>
<form method="post">
<input type="text" name="stuff" id="stuff" />
<input type="submit" name="push_me" value="foobar" />
</form>
<?php
echo "magic_quotes_gpc: ";
echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';
?>
</body>
</html>
This worked correctly. Can anybody explain why strings still get escaped in Wordpress even when magic_quotes_gpc is set to “Off”?
