no strings are escaped when magic_quotes_gpc is on

[eluser]Unknown[/eluser]
I don't know if this can be considered a bug but if not I think at least a note should be added to the documentation somewhere to warn that when magic_quotes_gpc is turned on then strings are always assumed to be escaped already by the escape_str() function. In my case I was inserting data (using active record insert) that I had gathered from another sql query, so magic_quotes_gpc had no effect on that data and the escape_str() blindly assumed the strings were clean when they in fact were not and so i was getting sql errors.

I know magic_quotes_gpc should never be on but I didn't know they were and it took me a little while to figure it all out.

[eluser]champs[/eluser]
This is absolutely a bug. The point of the framework is to abstract that away. Not all of your input data is necessarily GPC, it's stupid to work on strings if they're mangled this way, and it's inadequate for escaping data when you store it. They should be clean when you work with them, then properly escaped when you write it.