From: Adam Richardson
> On Sun, Oct 24, 2010 at 6:29 PM, Gary <gpaul@xxxxxxxxxxxxxxxx> wrote:
>> In my form processing scripts, I usually have the variable set as so:
>>
>> $email = stripslashes($_POST['email']);
>>
>> I have discovered that the program that I use has a pre-written
function of
>> this:
>>
>> // remove escape characters from POST array
>> if (get_magic_quotes_gpc()) {
>> function stripslashes_deep($value) {
>> $value = is_array($value) ? array_map('stripslashes_deep', $value)
:
>> stripslashes($value);
>> return $value;
>> }
>> $_POST = array_map('stripslashes_deep', $_POST);
>> }
>>
>> I just put this in a script that I have been using, leaving the
original
>> stripslashes in the variable. The script still works, but is there a
>> problem
>> with redundancy, or does one cancel the other out?
>>
>> Also, which do you think is a better method to use?
>>
>
> Calling stripslashes() more than once on the same string can cause
issues.
> That said, I'd point out that as of PHP 5.3, the use of
magic_quotes_gpc()
> has been deprecated:
>
http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
>
>
<http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gp
c>This
> was after many criticisms were leveled against the use of magic
quotes:
> http://en.wikipedia.org/wiki/Magic_quotes
>
> So, my inclination is to turn off magic quotes if they're on by using
> php.ini -OR- htaccess (if at all possible) rather than checking if
they are
> on and strip them if needed.
You can only call stripslashes once, and only if magic quotes is
enabled. Even if you can turn it off on your server, if there is any
chance your code will be used on other servers where it might not be
turned off, you need to wrap it with the test for magic quotes to make
it safe. We always used the version wrapped in the magic quotes check.
That way we don't care how the server is configured.
A Google search on the two function names will retrieve many valid
arguments for this course of action.
Bob McConnell
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
