which one will be better to use default magic quotes or user defined addslash/stripslash in PHP?

Question

which one will be better to use default magic quotes or user defined addslash/stripslash in PHP? I want use the best one. please help me.

Answer 1

Do it manually! Magic quotes are deprecated in PHP 5, and they are being completely removed in PHP 6. Not only that, but they are pure evil! They will cause errors in places you can't even imagine. Explicit is always better than implicit (as Python would say).

Answer 2

neither.

magic quotes is the root of all evil! (in my eyes even worse than premature optimization xD)

and why do you want to create a user defined (add|strip)slashes function, when there are native php ones?

if you want to escape your date for a database use the database specific functions (e.g. mysqli_real_escape_string)

EDIT. to complete my answer (after debating with sadi in the comments):

• if you want to display/output some input, use htmlspecialchars

• if you’re going to use your input in an URL, use urlencode

so, there is no best or correct single way to encode your data. you have to use the right functions in the right place at the right time. each has its own purpose (see here: http://xkcd.com/163/)

Answer 3

It's best not to use Magic Quotes at all. If you turn them off at the beginning of your script with:

set_magic_quotes_runtime(0);

You can make your application that will be backward compatible with earlier versions of PHP, while coding for the current version of PHP where they are depreciated, and furture versions where they are completely removed.

Removing quotes from string yourself is good practice and when something goes wrong you know it's in your own code, rather than a PHP setting or being incompatible with the PHP version you are currrently using.

Hope that helps.

Answer 4

If you're going to turn off magic quotes, don't just replace it with your own system of automatically escaping quotes in all inputs. The point is: automatically escaping everything is a bad idea. You should only escape something before you passing it to another system or layer of your application. Each system has different requirements for escaping.

For example, if you're outputting HTML, use htmlspecialchars() before you output a string variable. If you're sending SQL to a database, use one of the escaping functions designed for that database, like mysql_real_escape_string(). If you're creating an XML document, use one of PHP's XML libraries; these will do the escaping for you.

There's no one-size-fits-all escaping solution. That's why magic quotes are bad.