Title: Escaping Strings In WordPress
Last modified: August 18, 2016

---

# Escaping Strings In WordPress

 *  [ZephyrWest](https://wordpress.org/support/users/zephyrwest/)
 * (@zephyrwest)
 * [19 years, 9 months ago](https://wordpress.org/support/topic/escaping-strings-in-wordpress/)
 * I’ve been developing a WordPress plugin and something has been puzzling me… No
   matter what the magic_quotes_gpc directive is set to, strings still get escaped
   automatically. Here’s an example:
 * `<?php
    /* Plugin Name: Test Plugin URI: http://www.wordpress.org Description:
   Example plugin. Author: ZephyrWest Version: 0.1 Author URI: http://jlao.wordpress.
   com */
 * function asdf_add_menus() {
    add_management_page('asdf', 'asdf', 8, 'asdf', '
   asdf_add_menu'); }
 * add_action('admin_menu', 'asdf_add_menus');
 * function asdf_add_menu() {
    echo '<div class="wrap">';
 *  if( isset($_POST['submitme']) ) {
    echo $_POST['stuff']; }
 *  echo '
    <form method="post"> <input type="text" name="stuff" /> <span class="
   submit"><input type="submit" name="submitme" value="submit" /></span> </form>';
 * echo "magic_quotes_gpc: ";
    echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';
 * echo '</div>';
    } ?>
 * I ran the plugin multiple times with magic_quotes_gpc set to “On” and “Off” and
   in both cases, the string entered was escaped! And yes, I did restart Apache 
   and PHP. To make sure, I wrote another script (non-Wordpress plugin) to test 
   it out:
 * `<html>
    <head> <title>Untitled Document</title> </head>
 * <body onLoad="getElementById(stuff).focus()">
    <?php if(isset($_POST['push_me'])){
   echo '<p>' . $_POST['stuff'] . '</p>'; } ?>
 * <form method="post">
    <input type="text" name="stuff" id="stuff" /> <input type
   ="submit" name="push_me" value="foobar" /> </form>
 * <?php
    echo "magic_quotes_gpc: "; echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';?
   > </body> </html>
 * This worked correctly. Can anybody explain why strings still get escaped in WordPress
   even when magic_quotes_gpc is set to “Off”?

Viewing 1 replies (of 1 total)

 *  [Mark Jaquith](https://wordpress.org/support/users/markjaquith/)
 * (@markjaquith)
 * [19 years, 9 months ago](https://wordpress.org/support/topic/escaping-strings-in-wordpress/#post-438614)
 * WordPress has its own built-in method of ensuring that regardless of what you
   have `magic_quote_gpc` set to, GPC stuff gets escaped. This happens very early
   on in the WP loading process.
 * This is good because plugin authors don’t need to code for both situations… the
   data will **always** be escaped.

Viewing 1 replies (of 1 total)

The topic ‘Escaping Strings In WordPress’ is closed to new replies.

## Tags

 * [escaping](https://wordpress.org/support/topic-tag/escaping/)
 * [strings](https://wordpress.org/support/topic-tag/strings/)

 * 1 reply
 * 2 participants
 * Last reply from: [Mark Jaquith](https://wordpress.org/support/users/markjaquith/)
 * Last activity: [19 years, 9 months ago](https://wordpress.org/support/topic/escaping-strings-in-wordpress/#post-438614)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics