1 files changed, 16 insertions, 13 deletions

diff --git a/engine/lib/api.php b/engine/lib/api.php
index d6e4557cb..6aae62616 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -143,8 +143,9 @@ function authenticate_method($method) {
 		throw new APIException(sprintf(elgg_echo('APIException:MethodCallNotImplemented'), $method));
 	}
 
-	// make sure that POST variables are available if relevant
-	if (get_call_method() === 'POST') {
+	// make sure that POST variables are available if needed
+	// @todo this may not be needed anymore due to adding %{QUERY_STRING} in .htaccess in 1.7.2
+	if (get_call_method() === 'POST' && empty($_POST)) {
 		include_post_data();
 	}
 
@@ -269,19 +270,11 @@ function get_parameters_for_method($method) {
 /**
  * Get POST data
  * Since this is called through a handler, we need to manually get the post data
- * @return POST data from PHP
+ * @return POST data as string encoded as multipart/form-data
  */
 function get_post_data() {
-	global $GLOBALS;
 
-	$postdata = '';
-	if (isset($GLOBALS['HTTP_RAW_POST_DATA']))
-		$postdata = $GLOBALS['HTTP_RAW_POST_DATA'];
-
-	// Attempt another method to return post data (incase always_populate_raw_post_data is switched off)
-	if (!$postdata) {
-		$postdata = file_get_contents('php://input');
-	}
+	$postdata = file_get_contents('php://input');
 
 	return $postdata;
 }
@@ -296,11 +289,21 @@ function include_post_data() {
 
 	if (isset($postdata)) {
 		$query_arr = elgg_parse_str($postdata);
+
+		// grrrr... magic quotes is turned on so we need to strip slashes
+		if (ini_get_bool('magic_quotes_gpc')) {
+			if (function_exists('stripslashes_deep')) {
+				// defined in input.php to handle magic quotes
+				$query_arr = stripslashes_deep($query_arr);
+			}
+		}
+
 		if (is_array($query_arr)) {
-			foreach($query_arr as $name => $val) {
+			foreach ($query_arr as $name => $val) {
 				set_input($name, $val);
 			}
 		}
+
 	}
 }