Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is using stripslashes() in wordpress unsafe?

Tags:

security

php

wordpress

when I create an input 

<input type="text" name="456" value="123">

and pass that data to another php site, Wordpress automatically adds backslashes like: 

\"my text\"

But I need the text in that following way: 

"my text".

And that is why I use the function before i further process the data:

stripslashes()

Is that an unsafe solution against hacking? It is crucial to know since I send passwords over an API.

like image 934
Ben Spi Avatar asked Mar 21 '26 07:03

Ben Spi

2 Answers

For future readers, the previous answers are straight-up wrong. As per Ian's comment, WordPress enforces the equivalent of magic quotes internally to ensure consistent input, backwards compatibility, and to protect newbies from compromising WP installs. It's a hangover from the bad old days™ when it was quite common for people to insert data directly into the database without any sanitising/validation, then write hacky workarounds only for the issues they witnessed rather than doing it properly.

It is safe to use stripslashes() and stripslashes_deep() on your data, as long as you're correctly passing any unescaped data through $wpdb->insert(), $wpdb->prepare(), etc. when saving it to the database. Never write unescaped data to the superglobals like $_POST which are expected to remain escaped, use a copy like $my_post = stripslashes_deep($_POST);. It is mostly expected that you will do unescaping yourself, which is why it used to be common to see a lot of backslashes littering WP content.

This is completely separate to escaping for html output which should always be done on untrusted user input.

like image 89
Walf Avatar answered Mar 22 '26 23:03

Walf

It should be safe.

According to http://fearlessflyer.com/getting-rid-of-unwanted-backslashes-in-wordpress-form-input/

According to PHP.net: Magic Quotes are deprecated as of version 5.3 and will not be part of future versions.

See: http://php.net/manual/en/security.magicquotes.disabling.php

Quick answer Add this to your PHP:

<?php 
if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );
}
?>
like image 38
ktzhang Avatar answered Mar 22 '26 23:03

ktzhang
Sign in to Comment

Related questions

How to fetch a Zend model using a field
Is it possible to (virtually) move a site from www.example.org/ to www.example.org/new/ with htaccess?
I am able to change the constant value using define method. How to overcome this issue...?
Front End Multiple File Upload WordPress
yii delete all query cache
HTML form POST method not working (despite URL params showing)
Creating SEF urls using .htaccess
Laravel database select dropdown with placeholder

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!