from wp-settings.php (2.3.1)
if this is here, should $wpdb->Escape() be defanged? or do we just not need to do it on $_GET/$_POST
i didn’t like magic_quotes_gpc when it was invented, and i’m surprised to find a similar approach here 🙂
// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep($_GET );
$_POST = stripslashes_deep($_POST );
$_COOKIE = stripslashes_deep($_COOKIE);
}
// Escape with wpdb.
$_GET = add_magic_quotes($_GET );
$_POST = add_magic_quotes($_POST );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);
Same here, I keep getting escape slashes in my posts. Does this have something to do with the character set of the database or is it a function of how wordpress is writing the post to wp_posts? Any help much appreatiated.
WordPress Devs should learn from their mistake and remove those lines:
// Escape with wpdb.
$_GET = add_magic_quotes($_GET );
$_POST = add_magic_quotes($_POST );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);
older plugins need to update then and check against wordpress version wether they should add slashes on their own (if needed) or not. wpdb has a prepare already, this escape madness must end.
For a more serious discussion and some practicable suggestions I opened a ticket:
End the Escape Madness in wp-settings.php
http://trac.wordpress.org/ticket/5791
