On Wed, Dec 22, 2010 at 3:34 PM, Bob McConnell <rvm@xxxxxxxxx> wrote:
> From: Ravi Gehlot
>
> > What are these magic quotes anyways?. What are they used for?
> escaping?
>
> I wasn't there at the time, but I gather that the general idea was to
> automagically insert escape characters into data submitted from a form.
> However, they used a backslash as the escape character, which is not
> universally recognized across database engines. Even the SQL standard
> defines an escape as a single quote character.
>
> We used to have magic quotes enabled, and came up with the following
> code to clean up the mess it caused.
>
> // If magic quotes is on, we want to remove slashes
> if (get_magic_quotes_gpc()) {
> // Magic quotes is on
> $response = stripslashes($_POST[$key]);
> } else {
> $response = $_POST[$key];
> }
>
> For future releases of PHP, this will also need a check to see if
> get_magic_quotes_gpc() exists first.
>
> Bob McConnell
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Bob,
Thank you very much. This is good information. What I found out from
http://us2.php.net/manual/en/function.stripslashes.php was the following:
"An example use of *stripslashes()* is when the PHP directive
magic_quotes_gpc<http://us2.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>is
*on* (it's on by default), and you aren't inserting this data into a place
(such as a database) that requires escaping. For example, if you're simply
outputting data straight from an HTML form. "
So that means that stripslashes() isn't intended for DB insertions but only
straight output. So I will remove it from my code.
Thanks,
Ravi.
