Ok,
I'm programming on a server where magic_quotes_gpc is on and there is nothing I can do about that.
I've got pages add_news.php4, preview_news.php4 and news_to_db.php4 I know I could do it with less than three files but that's the way I like it.
add_news.php <----> preview_news.php ----> news_to_db.php
The user can enter their news on add_news.php4 and it gets sent through the form to preview_news.php, from there they can choose to go back to add_news.php4 to edit further (the data gets transferred back through HIDDEN form type so it's there in the form in add_news.php4. So they can go back and forth there as many times as they like, then eventually on preview_news.php4 they hit submit to send it to the db, again the data gets passed by a HIDDEN form elements to news_to_db.php4
Now with magic_quotes_gpc on there are escape characters being added to every string every time a form gets submitted which could be numerous times in the above setup, but will always be at least twice.
Instead of using stripslashes before putting it in the db to get rid of excess slashes, I'm putting in code in every script to strip the slashes from each variable as they were put in by magic_quotes_gpc automatically.
<?php
if (get_magic_quotes_gpc() == 1) {
switch ($REQUEST_METHOD)
{
case "POST":
while (list ($key, $val) = each ($HTTP_POST_VARS)){
$$key = stripslashes($val);
}
break;
case "GET":
while (list ($key, $val) = each ($HTTP_GET_VARS)){
$$key = stripslashes($val);
}
break;
}
}
?>
Then I am proposing to do an addslashes() one single time before inputting stuff into the database.
Is this a good way to approach things here?
Also as a sidenote, I've also found out that I need to use htmlspecialchars() on every variable I put inside the VALUE attribute of HIDDEN form elements so that a possible double quote in the string represented by the variable doesn't mess up the INPUT tag.
Advice would be appreciated on the magic_quotes_gpc/addslashes issue - thank you in advance.
