gpc_magic_quotes
-
Back in around 2001 or so I learned to disable gpc_magic_quotes because it was the wrong solution to the problem.
It does not fix the problem of sql injection, and it causes other problems.
While doing my wordpress coding, sending a json encoded string via post wasn’t working. When I looked at why, what was being sent had escapes added to it. It wasn’t an actual json string = it had been broken.
Thinking that maybe Fedora made a bonehead move and re-enabled gpc_magic_quotes by default in Fedora 20 build of php, I looked at my php.ini file – no mention of it.
So then I thought maybe jQuery was doing it with its $.ajax handling.
Nope.
Finally I tracked it down. WordPress itself.
WordPress itself implements gpc_magic_quotes whether we want it or not, even though it is known to be a very bad practice. It doesn’t really protect against SQL injection, and it causes problems – like using the json_decode() function in php amongst other things.
For the love of all things sane, please stop doing that. You should not mangle the $_POST data that is sent to WordPress.
It is fundamentally wrong.
- The topic ‘gpc_magic_quotes’ is closed to new replies.