Getting Rid of Unwanted Backslashes in WordPress Form Input

As I was following the tutorial on How To Create a Theme Options Page for Your WordPress Theme, from ForTheLose.org, I stumbled upon an irritating issue. I wanted to create an option where you can paste your Google Ad Sense code from the theme admin panel.

The problem is, as soon as I drop stuff like HTML code into the field, it automatically adds unwanted backslashes in front of double quotes. As I later figured out, this is actually a “feature” in PHP known as “Magic Quotes”.

What the heck are “Magic Quotes”

For those who know PHP, the language is designed to avoid conflicts in strings (mostly characters used in variables) through the use of escape sequences. Escape sequences are formed by providing a (“”) backslash in front of characters such as double quotes, to convert them into a literal string. The people who wrote PHP wanted this to be an automated process, so they decided that all text passed through online forms are automatically escaped with a backslash. This is known as Magic Quotes. Although their intentions were good, it has caused more problems than fixes. According to the PHP.net: Magic Quotes are deprecated as of version 5.3 and will not be part of future versions.

WordPress Fix

Although you can disable Magic Quotes in your server php.ini file, it won’t do me any good since I’m developing a theme to be released for public use. This means that users of my theme will have various server configurations and telling them to turn this feature off is simply not an option. Luckily, WordPress has adapted PHP.net’s function “stripslashes deep” – which disables Magic Quotes at runtime. All you need to do is paste the following code into your theme file and should take care of the issue:

The above code strips slashes when data arrives via $_POST, $_GET, $_COOKIE, and $_REQUEST methods. In my case, I’ve pasted this code inside my functions.php file which contain my theme options. This page alone will serve multiple textarea input fields which will allow special characters such as Google Analytics and AdSense code. Note that this can be used in any page with input fields such as a contact and RSVP forms.

22 Comments

  1. Where do I paste this in the functions file please? Pulling my hair out.
    I’ve tried it before the post method, at the end very of the document and at the start.
    Any advice much appreciated!
    Thanks

    Reply
  2. Hi there Micheal, I’m having the same internal server error as Tim… I guess your method is the best out there, but I’d love to get it working! Any idea about where’s exactly the best place to add your piece of code? Thanks in advance, take care.

    Reply
  3. Hi, I know this is an old post, but I’d just like to thank you for posting this up – I was pulling my hair out when this problem occured on my site (especially because magic quotes was off), but adding the above code solved the problem! Cheers!

    Reply
  4. Thank you so much for posting this!!
    For anyone that is having problems, it is probably because `if ( get_magic_quotes_gpc() )` is evaluating to FALSE for some reason on certain servers, even though WordPress is turning magic_quotes on. It may work for you if you just leave out the if statement. But if you do that (like I had to), you will need to remove that code when WordPress eventually get’s this right and reforms their use of magic_quotes, or it will strip out slashes that are supposed to be their, like in links, etc.
    Hope that helps somebody.

    Reply
  5. i ran this code to make it work
    if ( get_magic_quotes_gpc() ) {
    $_POST = array_map( ‘stripslashes_deep’, $_POST );
    $_GET = array_map( ‘stripslashes_deep’, $_GET );
    $_COOKIE = array_map( ‘stripslashes_deep’, $_COOKIE );
    $_REQUEST = array_map( ‘stripslashes_deep’, $_REQUEST );
    } else {
    $_POST = array_map( ‘stripslashes_deep’, $_POST );
    $_GET = array_map( ‘stripslashes_deep’, $_GET );
    $_COOKIE = array_map( ‘stripslashes_deep’, $_COOKIE );
    $_REQUEST = array_map( ‘stripslashes_deep’, $_REQUEST );
    }

    Reply
    • You might as well just do it without any conditional.
      $_POST = array_map( ‘stripslashes_deep’, $_POST );
      $_GET = array_map( ‘stripslashes_deep’, $_GET );
      $_COOKIE = array_map( ‘stripslashes_deep’, $_COOKIE );
      $_REQUEST = array_map( ‘stripslashes_deep’, $_REQUEST );

      Reply

Leave a Comment.