Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#40716 new defect (bug)

WordPress's magic quotes emulation doesn't slash keys like PHP's built-in magic quotes

Reported by: jdgrimes Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 0.71
Component: General Keywords:
Focuses: Cc:
PR Number:


PHP's built-in magic quotes feature not only slashed values, but also keys. However, although WordPress emulates the magic quotes feature even when it is disabled/unavailable, it has apparently never slashed keys of the GPC arrays, only the values.

As a consequence of this, I was just dealing with a bug in a plugin that a user was experiencing on PHP 5.2, but I had never witnessed on newer versions of PHP (5.6, 7.0), which did not have magic quotes enabled.

The plugin POSTs data via Ajax that includes both keys and values containing backslashes. This data will be double-slashed by the magic quotes feature. So in the Ajax handler, this data is passed through wp_unslash(), and so the original, single-slashed values can then be utilized. However, wp_unslash() does not unslash the keys. When PHP's magic quotes are disabled, this is not a problem, because WordPress's magic quotes do not slash keys. But on older versions of PHP where magic quotes are enabled by default, PHP will slash both the keys and values, and wp_unslash() will not unslash the keys.

Data flow:

# WordPress's magic quotes emulation:

POST               => Data containing slashes in keys and values posted.
add_magic_quotes() => Slashes in values are escaped.
wp_unslash()       => Escaping slashes in values removed.

result: data is unchanged.


# PHP's magic quotes:

POST             => Data containing slashes in keys and values posted.
magic_quotes_gpc => Slashes in values *and keys* escaped.
wp_unslash()     => Escaping slashes in values removed.

result: values unchanged, keys still double-slashed.

In other words, there is an inconsistency in how data is slashes on different PHP configurations, despite WordPress's efforts to standardize it. The values are consistent in the way that they are slashed, but keys are not.

Change History (1)

#1 @dd32
2 years ago

Given how long this has gone unnoticed, and how few people are running PHP with magic_quotes turned on these days, I'd probably err on the side of not touching anything here.

PHP 5.2/5.3 will eventually be removed from support, eventually, and when that happens it'll be standardised on non-slashed keys, and slashed values.

Note: See TracTickets for help on using tickets.