From: Adam Richardson

> On Sun, Oct 24, 2010 at 6:29 PM, Gary <> wrote:
>> In my form processing scripts, I usually have the variable set as so:
>> $email = stripslashes($_POST['email']);
>> I have discovered that the program that I use has a pre-written
function of
>> this:
>> // remove escape characters from POST array
>> if (get_magic_quotes_gpc()) {
>>  function stripslashes_deep($value) {
>>    $value = is_array($value) ? array_map('stripslashes_deep', $value)
>> stripslashes($value);
>>    return $value;
>>    }
>>  $_POST = array_map('stripslashes_deep', $_POST);
>>  }
>> I just put this in a script that I have been using, leaving the
>> stripslashes in the variable. The script still works, but is there a
>> problem
>> with redundancy, or does one cancel the other out?
>> Also, which do you think is a better method to use?
> Calling stripslashes() more than once on the same string can cause
>  That said, I'd point out that as of PHP 5.3, the use of
> has been deprecated:
> was after many criticisms were leveled against the use of magic
> So, my inclination is to turn off magic quotes if they're on by using
> php.ini -OR- htaccess  (if at all possible) rather than checking if
they are
> on and strip them if needed.

You can only call stripslashes once, and only if magic quotes is
enabled. Even if you can turn it off on your server, if there is any
chance your code will be used on other servers where it might not be
turned off, you need to wrap it with the test for magic quotes to make
it safe. We always used the version wrapped in the magic quotes check.
That way we don't care how the server is configured.

A Google search on the two function names will retrieve many valid
arguments for this course of action.

Bob McConnell

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to