On Sun, Oct 24, 2010 at 6:29 PM, Gary <gpaul@xxxxxxxxxxxxxxxx> wrote:
> In my form processing scripts, I usually have the variable set as so:
>
> $email = stripslashes($_POST['email']);
>
> I have discovered that the program that I use has a pre-written function of
> this:
>
> // remove escape characters from POST array
> if (get_magic_quotes_gpc()) {
> function stripslashes_deep($value) {
> $value = is_array($value) ? array_map('stripslashes_deep', $value) :
> stripslashes($value);
> return $value;
> }
> $_POST = array_map('stripslashes_deep', $_POST);
> }
>
> I just put this in a script that I have been using, leaving the original
> stripslashes in the variable. The script still works, but is there a
> problem
> with redundancy, or does one cancel the other out?
>
> Also, which do you think is a better method to use?
>
> Thank you
>
> Gary
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 5560 (20101024) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Hi Gary,
Calling stripslashes() more than once on the same string can cause issues.
That said, I'd point out that as of PHP 5.3, the use of magic_quotes_gpc()
has been deprecated:
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
<http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>This
was after many criticisms were leveled against the use of magic quotes:
http://en.wikipedia.org/wiki/Magic_quotes
So, my inclination is to turn off magic quotes if they're on by using
php.ini -OR- htaccess (if at all possible) rather than checking if they are
on and strip them if needed.
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
