$wpdb->update or $wpdb->insert results in slashes being added in front of quotes

Question

This question has been posed a few times in various places, but I haven't found a definative and clear answer. Most solutions involve people saying to disable Magic Quotes on the php.ini file (which I did) or modifying core WP files.

Anyways, the question is this: why is it everytime I use $wpdb->insert or $wpdb->update a slash gets added before any single quote. So for instance:

I've eaten strawberries becomes I\'ve eaten strawberries

Here's a sample code I used:

$id = $_POST['id']; $title = $_POST['title']; $message = $_POST['message'];  $wpdb->update('table_name', array('id'=>$id, 'title'=>$title, 'message'=>$message), array('id'=>$id)) 

The same problem was here: Wordpress Database Output - Remove SQL Injection Escapes but it was never solved aside from "disable magic quotes"

Answer 1

After spending the day on this, the answer is as follows:

Wordpress escapes at the $_POST declaration, not at the actual insert, which is bizarre.

$id = stripslashes_deep($_POST['id']); //added stripslashes_deep which removes WP escaping. $title = stripslashes_deep($_POST['title']); $message = stripslashes_deep($_POST['message']);  $wpdb->update('table_name', array('id'=>$id, 'title'=>$title, 'message'=>$message), array('id'=>$id)); 

Doing this will mean that WP will not add slashes before any quotes.

Answer 2

a little more info--WordPress decided to make people think they were going crazy by adding 'magic quotes' even if you've got it turned off starting in version 3.0. Any access to $_REQUEST, $_GET, $_POST, $_COOKIE, or $_SERVER will be affected. See wp-includes/load.php.

 /* Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.  * @since 3.0.0  */ function wp_magic_quotes() {         // If already slashed, strip.         if ( get_magic_quotes_gpc() ) {                 $_GET    = stripslashes_deep( $_GET    );                 $_POST   = stripslashes_deep( $_POST   );                 $_COOKIE = stripslashes_deep( $_COOKIE );         }          // Escape with wpdb.         $_GET    = add_magic_quotes( $_GET    );         $_POST   = add_magic_quotes( $_POST   );         $_COOKIE = add_magic_quotes( $_COOKIE );         $_SERVER = add_magic_quotes( $_SERVER );          // Force REQUEST to be GET + POST.         $_REQUEST = array_merge( $_GET, $_POST ); }