stripslashes

zzz

I had to enable magic_quotes and now i need to make sure that my content does not appear with slashes in fron of the quote marks. I put

stripslashes()

and over all it works fine, except where I had tripple slashes (I guess a member kept on editing a content and the server kept on adding slashes. How can i resolve this issue?

laserlight

Wait, why do you have to enable magic quotes?

geaser_geek

You need to create a function for this purpose. Here is an example:

function stripslashes2($string) {
$string = str_replace("\", "", $string);
return $string;
}

$str = "Where do all of these slashes \\\\\\ go?";

echo stripslashes2($str);

// php result
//Where do all of these slashes go?

I hope that helps.

zzz

I've installed Joomla on one of my sites and it recommended to have magic quotes on. Is it not a good idea? Why?

Thanks for the function.

MarkR

Magic quotes are a terrible idea. See my previous posts on them for why.

Magic quotes escape things at the wrong stage of processing, and usually incorrectly, as well. This is why they are worse than useless.

Mark

geaser_geek

I agree that magic quotes are not a good idea unless you are just starting out and might neglect to escape characters, such as a "\" yourself prior to entering information into a database. When magic quotes is turned on PHP does this for you automatically.

You can insert a piece of code to assess whether it is turned on or not, such as:

// clean all variables
/////////////////////////
// first, check for "magic_quotes_gpc" if it is on
if ( ini_get( 'magic_quotes_gpc' ) ) {
// strip the spaces, tags, and slashes if it is on
$variable name = trim( strip_tags( stripslashes( $POST['form input'] ) ) );
} else {
// no "magic_quotes_gpc"
// do not strip any slashes
$variable name = trim( strip_tags( $POST['form input'] ) );
}
/////////////////////////

There is a good reference about magic quotes here > http://us3.php.net/magic_quotes.

When it is turned on it does help promote bad programming, but I do not see any problem when you are just starting out and learning the code.

MarkR

[QUOTE=geaser_geek When magic quotes is turned on PHP does this for you automatically.
[/quote]

It's no good it doing stuff automatically if it doesn't get it right. And magic_quotes never gets it right.

Mark

geaser_geek

I understand that magic quotes are not great in PHP. One problem is that some servers using PHP have them turned on and you have no control over their server! Therefore, you just need to make do with a bad thing the best way possible.

The "theory" is that they do it automatically according to PHP sources, but it does not state anything about doing it correctly. If you can have them turned off on your site or server, please do.

Then you can escape out the characters the right way and have much more control over your coding and benefit by learning to code better and not depend upon something else to do it for you.

In other words, I agree with you MarkR.

bradgrafelman

geaser_geek wrote:
One problem is that some servers using PHP have them turned on and you have no control over their server!

Not true! Here's some options you have:

Try using a .htaccess in your website's root folder to turn off magic_quotes_gpc.
If you can't turn it off, can you use auto_prepend_file (set by .htaccess) that walks through the GPC arrays and runs stripslashes() on them?
Perhaps you might skip straight to this step: find a competent host. Honestly, if they're a) forcing a setting to be on that's deprecated by any respectable coder, b) hindering your productivity by said action, and c) unwilling to compromise to meet your needs, they are beyond incompetent - they're a hindrance, and you should ditch the host as fast as possible.

geaser_geek

I do like my web host for many other reasons and will see why they insist on maintaining magic quotes on their server. I do not believe in ditching them simply because of that problem even if they will not disable magic quotes. The .htaccess and auto_prepend_file work only with Apache servers from my understanding, which is not what is used by my web host.

I will continue to make due and probably change my web host at a later date if they continue to insist on turning on magic quotes.

Thanks for your suggestions.

zzz

OK, I can go ahead and turn off the magic_quotes but couple of questions first.

If I already put in some places stripslashes, do I need to go through my code and weed them out?
If I leave magic_quotes turned on, will in cause and real harm to my code? I put all my input code through a class that checks for malicious code anyway, so I'm not really concerned from that stand point.

geaser_geek

The major idea where I would use stripslashes is to clean up the input from a form prior to processing this input with your own code. This removes any possibility that a user entered any slashes by mistake into your form that would foul up the interpretor.

Your own code after cleaning by the stripslashes would require any slashes to escape any characters required, such as for quote characters or other HTML characters within your PHP code (/n for newline etc.). However, with magic quotes turned on these characters might not escape properly or PHP will attempt to place another slash mark before the character. That is the reason it is best to turn it off if you already have that capability. You cannot predict what might happen with magic quotes!

If you already have placed some stripslashes in your code to remove slashes you would need to make certain that the characters requiring the proper escape slashes are inserted after your stripslashes coding was implemented.

If you leave magic quotes turned on (which is not a good idea if you can turn it off) then you must use the stripslashes in your code to make certain that no extraneous slashes remain to confuse PHP in interpreting some of your HTML characters that might already be escaped. Magic Quotes is not reliable and can attempt to insert escape characters that are duplicates or in areas not valid in PHP.

My own code for using stripslashes is the following and it is placed at the very beginning of any input from any form data to my site:

// first, check for "magic_quotes_gpc" if it is on
if ( ini_get( 'magic_quotes_gpc' ) ) {
// strip the spaces, tags, and slashes if it is on
$variable_name1 = trim( strip_tags( stripslashes( $POST['variable_name1'] ) ) );
$variable_name2= trim( strip_tags( stripslashes( $POST['variable_name2'] ) ) );
} else {
// no "magic_quotes_gpc"
// do not strip any slashes
$variable_name1= trim( strip_tags( $POST['variable_name1'] ) );
$variable_name2= trim( strip_tags( $POST['variable_name2'] ) );
}

Hope this helps you out. Someone else might have some better responses to your questions.