WordPress is still adding slashes to data sent per POST, so yes, in some cases you might have to remove the slashes. There are two options:
- Use
stripslashes_deep( $value ). This function accepts an array, an object or a string and removes the slashes. -
Get POST data per:
$data = file_get_contents( 'php://input' );This takes the data from the raw input stream, a resource that cannot be changed (read-only), so it is not changed by WordPress too. This doesn’t work when the form was sent with
enctype="multipart/form-data", eg. with file uploads.
Be aware stripslashes_deep() might ruin JSON encoded strings.
Magic quotes are not quotes, they are backslashes \. They work like addslashes() and are applied on several places to incoming data. Backslashes are set before ', ", \ and the character NULL.
In WordPress there is a function add_magic_quotes() (wp-includes/functions.php). It runs on $_GET, $_POST, $_COOKIE and $_SERVER in wp-includes/load.php in the function wp_magic_quotes(), and on user/post data pulled from the database.