Quotes being escaped when magic_quotes_gpc is set to off

Question

Magento is escaping apostrophes when magic_quotes_gpc is set to off. When I set magic_quotes_gpc to on, Magento stops inserting slashes. It's completely backwards.

I can't have Magento escaping my apostrophes, but I also do not want to have magic_quotes_gpc set to on because I am concerned about the implications it might have on other parts of my site (vBulletin forum, Wordpress blog, etc.).

Just to note - Magento wasn't always behaving this way, it only started today.

EDIT: The behavior started after adding the following code to the Layout Update XML of one of my CMS pages:

<!--<reference name="content">
<block type="catalog/product_new" name="home.catalog.product.new" alias="product_new" template="catalog/product/new.phtml" after="cms_page"><action method="addPriceBlockType"><type>bundle</type><block>bundle/catalog_product_price</block><template>bundle/catalog/product/price.phtml</template></action></block>
<block type="reports/product_viewed" name="home.reports.product.viewed" alias="product_viewed" template="reports/home_product_viewed.phtml" after="product_new"><action method="addPriceBlockType"><type>bundle</type><block>bundle/catalog_product_price</block><template>bundle/catalog/product/price.phtml</template></action></block>
<block type="reports/product_compared" name="home.reports.product.compared" template="reports/home_product_compared.phtml" after="product_viewed"><action method="addPriceBlockType"><type>bundle</type><block>bundle/catalog_product_price</block><template>bundle/catalog/product/price.phtml</template></action></block>
</reference>
<reference name="right">
<action method="unsetChild"><alias>right.reports.product.viewed</alias></action>
<action method="unsetChild"><alias>right.reports.product.compared</alias></action>
</reference>-->

After the weird behavior started, I removed that code, but it did not fix the problem.

What have you changed on the server today? Things like this generally don't spontaneously happen. Also, how are you testing this. Example code that we can try to reproduce? — Nick, Aug 09 '11 at 15:39
Nothing has been changed on the server. The only thing I did immediately prior to the change was to add some code to a CMS page's Layout Update XML. I've added the code above. Some time before that, I had made a minor change to `robots.txt` to prevent crawlers from reaching this CMS page. Everything continued to work fine after that change. — Nick, Aug 09 '11 at 16:00

Nick · Accepted Answer · 2011-08-10T22:03:43.037

EDIT: I figured out the problem. It turns out that Wordpress has it's own function to add in slashes. As of Wordpress version 3.2.1, you can find function wp_magic_quotes() around line 530 of /wp-includes/load.php

To fix the issue, I commented out everything within the function (not the function itself, so as to prevent a call to an undefined function). It's removed the issue of escaped quotes. I haven't done extensive testing, but from what I understand, this may break older Wordpress plug-ins, so be careful.

It will go from this:

function wp_magic_quotes() {
    // If already slashed, strip.
    if ( get_magic_quotes_gpc() ) {
        $_GET    = stripslashes_deep( $_GET    );
        $_POST   = stripslashes_deep( $_POST   );
        $_COOKIE = stripslashes_deep( $_COOKIE );
    }

    // Escape with wpdb.
    $_GET    = add_magic_quotes( $_GET    );
    $_POST   = add_magic_quotes( $_POST   );
    $_COOKIE = add_magic_quotes( $_COOKIE );
    $_SERVER = add_magic_quotes( $_SERVER );

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );
}

to this:

function wp_magic_quotes() {
    // If already slashed, strip.
    /*if ( get_magic_quotes_gpc() ) {
        $_GET    = stripslashes_deep( $_GET    );
        $_POST   = stripslashes_deep( $_POST   );
        $_COOKIE = stripslashes_deep( $_COOKIE );
    }

    // Escape with wpdb.
    $_GET    = add_magic_quotes( $_GET    );
    $_POST   = add_magic_quotes( $_POST   );
    $_COOKIE = add_magic_quotes( $_COOKIE );
    $_SERVER = add_magic_quotes( $_SERVER );

    // Force REQUEST to be GET + POST.
    $_REQUEST = array_merge( $_GET, $_POST );*/
}

This may work, but a) patching the Wordpress core is never a good idea, and b) you are opening up a Wordpress security vulnerability via the GET and POST HTTP parameters if you also intend on using wordpress independently from Magento. If you are including Wordpress as part of Magento, you might want to set a flag and then conditional returns within the wp_magic_quotes function... This *might* be okay. — Willster, Aug 29 '13 at 18:05
@Willster are you able to expand on this at as I use wordpress as part of magento and I am experiencing the same issue as above. I would be very interested in learning how to set this up in a way that will prevent magento from breaking. — Nick Apromollo, Sep 09 '14 at 20:03

score 0 · Answer 2 · answered Nov 28 '14 at 21:07

At the top of app/code/core/Mage/Core/functions.php there is this:

if (get_magic_quotes_gpc()) {
    function mageUndoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $newKey = stripslashes($key);
                if ($newKey!==$key) {
                    unset($array[$key]);
                }
                $key = $newKey;
            }
            $newArray[$key] = is_array($value) ? mageUndoMagicQuotes($value, false) : stripslashes($value);
        }
        return $newArray;
    }
    $_GET = mageUndoMagicQuotes($_GET);
    $_POST = mageUndoMagicQuotes($_POST);
    $_COOKIE = mageUndoMagicQuotes($_COOKIE);
    $_REQUEST = mageUndoMagicQuotes($_REQUEST);
}

Just copy this file to local (app/code/local/Mage/Core/functions.php) and comment out the if statement so it will always run.

// if (get_magic_quotes_gpc()) {
    function mageUndoMagicQuotes($array, $topLevel=true) {
        $newArray = array();
        foreach($array as $key => $value) {
            if (!$topLevel) {
                $newKey = stripslashes($key);
                if ($newKey!==$key) {
                    unset($array[$key]);
                }
                $key = $newKey;
            }
            $newArray[$key] = is_array($value) ? mageUndoMagicQuotes($value, false) : stripslashes($value);
        }
        return $newArray;
    }
    $_GET = mageUndoMagicQuotes($_GET);
    $_POST = mageUndoMagicQuotes($_POST);
    $_COOKIE = mageUndoMagicQuotes($_COOKIE);
    $_REQUEST = mageUndoMagicQuotes($_REQUEST);
// }

This is required because WordPress checks if magic quotes is disabled, and if it is it runs magic quotes anyway. There are lengthy discussions on whether or not this should happen but the consensus is removing that functionality could open security holes in older plugins or themes that do not work around it, so don't expect WordPress to remove that functionality any time soon.

Quotes being escaped when magic_quotes_gpc is set to off

2 Answers2