WordPress has the unfortunate legacy situation of having to force input variables to be “magic quoted”, something which has been deprecated in PHP for some time. So when you are working with data passed from the user, you have to run those input variables (
, which is really annoying. At least I\’m annoyed by it.
However, I just made a discovery. As of 5.2, PHP comes with an extension for Data Filtering
, including a function
function for fetching input variables and passing them through validation
, and other filters
Well, it turns out that when you access input variables through
, it bypasses
entirely, and so you’ll get raw un-backslashed data back! So instead of accessing
, you call
filter_input( INPUT_GET, 'x' )
has the benefit of not having to add
that you’re interacting with input variables, so as to avoid the plague of PHP notices about undefined array indexes. (Oh, hello most WordPress plugins in existence!)
And the icing on the cake for
is that you get validation and sanitization.
, there’s one big caveat about all this. The WordPress API functions like
and friends actually expect
the input to be magic-quoted. So if you do this:
update_post_meta( get_the_ID(), 'x', 'I love \o/ WordPress!' );
If you grab that postmeta out:
$x = get_post_meta( get_the_ID(), 'x', true );
will end up being:
I love o/ WordPress!
For more info, see #18322: The Road to Magic Quotes Sanity