> You can only call stripslashes once, and only if magic quotes is
> enabled. Even if you can turn it off on your server, if there is any
> chance your code will be used on other servers where it might not be
> turned off, you need to wrap it with the test for magic quotes to make
> it safe. We always used the version wrapped in the magic quotes check.
> That way we don't care how the server is configured.
> A Google search on the two function names will retrieve many valid
> arguments for this course of action.
> Bob McConnell

Hi Bob,

You're absolutely right, you can find examples like your suggesting.
However, this can lead to issues.

For instance, some frameworks and scripts take the opportunity to
strip slashes from all GPC data at once, such as the code below:

if (get_magic_quotes_gpc()){
 $_GET = array_map('stripslashes', $_GET);
 $_POST = array_map('stripslashes', $_POST);
 $_COOKIE = array_map('stripslashes', $_COOKIE);

Now, if your library is running a magic quote check and strip, but
another library is running this type of strip before yours, a
legitimate string can be mangled:

$test = 'CD "C:\Program Files\Internet Explorer\"';
$slashed_version = addslashes($test);
// the other library
$deslashed1 = stripslashes($slashed_version);
// your library
$deslashed2 = stripslashes($deslashed1);
echo $deslashed2;

This outputs:
CD "C:Program FilesInternet Explorer"

Granted, this isn't likely a frequent issue, as the type of strings
that cause this issue are used infrequently.  However, given the above
potential issue,  the lack of benefits in terms of preventing SQL
injection, and the increased overhead, I prefer to make sure they're
turned off (even most shared hosts allow you to turn off magic quotes
if they aren't already turned off.)

That said, I understand your approach.  I just wanted to make sure I
spoke more clearly to the issues I had magic quotes.


Nephtali:  PHP web framework that functions beautifully

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to