Should I use magic_quotes_gpc OR add/strip slashes?

szym9341

I have a CMS that passes a bunch of strings. Now that I have the first "draft" done, I entered some real information with quotes and, duh, the insert doesn't work properly.

Should I enable magic_quotes_gpc or should I add the addslashes and stripslashes to every string variable? Any light on this issue will be greatly appreciated.

csn

I say don't use magic_quotes_gpc. You need to check your input data anyways - it's just an additional step. But you should always check for magic_quotes_gpc.

if (!get_magic_quotes_gpc()) {
  $name = pg_escape_string($name);
  $title = pg_escape_string($title);
}

$id = (int)$_GET['id'];
...

Or you could just turn magic_quotes_gpc off in php.ini, or use php_admin_flag in httpd.conf on a per site basis.

csn

Also, if you do have magic_quotes_gpc on, I find it's more work stripping slashes from values that aren't headed for the database (like for display on web pages).