My php application uses stripslashes() to deal with magic_quotes but I only want it to remove slashes that magic_quotes is putting in, because the user is allowed to supply a \ with his input.
+8
A:
stripslashes does not indiscriminately remove slashes.
If magic quotes is on, then it'll escape slashes, replacing '\' with '\\', and stripslashes should undo magic quotes' escaping correctly, replacing '\\' with '\' to get you back what the user entered.
I think you probably just want something like this:
// Ripped from the PHP manual (http://us3.php.net/manual/en/function.get-magic-quotes-gpc.php)
if (get_magic_quotes_gpc()) {
$lastname = stripslashes($_POST['lastname']);
}
else {
$lastname = $_POST['lastname'];
}
At the end of that code $lastname should not have any slashes except those the user entered.
On another note, magic quotes are a security issue, and are deprecated in newer versions of PHP (see the docs).
Dominic Rodger
2009-07-24 11:40:25
A:
Try rolling your own encoding/decoding functions, like so:
function doEncode($string){
return addslashes(str_replace("\","\\",$string));
}
function doDecode($string){
return str_replace("\\","\",stripslashes($string));
}
cpharmston
2009-07-24 11:41:53
+1
A:
Using magic_quotes_gpc is a bad idea anyway, it's officially deprecated as of 5.3 and gone as of PHP 6. More importantly (and immediately), it encourages weak security because it doesn't really do anything useful that couldn't be done by mysql_real_escape_string or prepared statements or stored procedures.
If you can get rid of it, please do...
CaseySoftware
2009-07-24 12:38:25