ok, since upcoming PHP6 will be dropping support for magic_quotes, I am going to retool a textfield's $_POST handling...

but first, I should really get the understanding straight..
We should no longer support the function get_magic_quotes_gpc() , correct?

so if I have:

if(get_magic_quotes_gpc()){
   $_POST['textarea'] = stripslashes($_POST['textarea']);
}

Am I correct in assuming that since stripslashes() relies on the PHP directive magic_quotes_gpc to being on, this means that this particular function will be null and void as well?

If so, I am confused...I was reading on some of the responses posted in php manual regarding the issue of get_magic_quotes_gpc:

One respondant wrote:
'Just for the record. this feature has been removed as of PHP6.
now PHP works always like if magic_quotes_gpc Off.

get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.'

But someone in that thread posted an apparent alternative. The link is:
http://talks.php.net/show/php-best-practices/26

In the last code sample in that link (which is apparently a better way to go) is as follows:

if (get_magic_quotes_gpc()) {
   $in = array(&$_GET, &$_POST, &$_COOKIE);
        while (list($k,$v) = each($in)) {
                foreach ($v as $key => $val) {
                        if (!is_array($val)) {
                                $in[$k][$key] = stripslashes($val);
                                continue;
                        }
                        $in[] =& $in[$k][$key];
                }
        }
        unset($in);
}

But if I am correct in understanding that stripslashes relies on get_magic_quotes_gpc, which is going to be kept but return false (according to the user I quoted above), then would this not render the above code's line:

 $in[$k][$key] = stripslashes($val);

obsolete?

I'm terribly confused 😕

Cheers,

NRG

    We should no longer support the function get_magic_quotes_gpc() , correct?

    It is reasonable to use get_magic_quotes_gpc(), either to fatally abort the script if it returns true (i.e., do not support magic_quotes_gpc), or to try and undo the work of magic_quotes_gpc with stripslashes() if it returns true (i.e., support magic_quotes_gpc for backward compatibility).

    Am I correct in assuming that since stripslashes() relies on the PHP directive magic_quotes_gpc to being on, this means that this particular function will be null and void as well?

    No, stripslashes() works independently of the magic_quotes_gpc setting.

      laserlight;10879497 wrote:

      It is reasonable to use get_magic_quotes_gpc(), either to fatally abort the script if it returns true (i.e., do not support magic_quotes_gpc), or to try and undo the work of magic_quotes_gpc with stripslashes() if it returns true (i.e., support magic_quotes_gpc for backward compatibility).

      I am sorry.. but I'm not sure I quite follow. Are you saying that by PHP keeping get_magic_quotes_gpc but returning false, this in essence acts as an 'error catcher' of sorts to websites which still rely on this functionality? Could you explain more? Sorry.. I'm not sure I follow...

      laserlight;10879497 wrote:

      No, stripslashes() works independently of the magic_quotes_gpc setting.

      Ah ok.. this tidbit is good know.. so I don't have to rid of this function in my handling of my $_POST['textarea'] variable.

      Cheers,

      NRG

        Are you saying that by PHP keeping get_magic_quotes_gpc but returning false, this in essence acts as an 'error catcher' of sorts to websites which still rely on this functionality?

        It is a matter of backward compatibility. You can say: I am going to code as if magic_quotes_gpc does not exist. But to be on the safe side in distribution, you check with get_magic_quotes_gpc(). If the script is run under PHP5 with magic_quotes_gpc enabled, then you detect this and abort the script immediately. This is preferable to running silently with subtle data damaging errors.

          laserlight;10879503 wrote:

          It is a matter of backward compatibility. You can say: I am going to code as if magic_quotes_gpc does not exist. But to be on the safe side in distribution, you check with get_magic_quotes_gpc(). If the script is run under PHP5 with magic_quotes_gpc enabled, then you detect this and abort the script immediately. This is preferable to running silently with subtle data damaging errors.

          Ok.. this makes things clearer. So I could rewrite my handling from

          This:

          if (get_magic_quotes_gpc()) { 
   $_POST['textarea'] = stripslashes($_POST['textarea']);
}

          To simply this?:

             $_POST['textarea'] = stripslashes($_POST['textarea']);

          Would that second option suffice? The stripslashes function as you mention is independant of get_magic_quotes_gpc(). When I tried this second option it still seems to work.

          Is this the correct path to take?

          Cheers,

          NRG

            No. If you are assuming that magic_quotes_gpc is not enabled, then why use stripslashes()?

              This is why I'm confused. since you quoted that stripslashes() works independently of the magic_quotes_gpc setting, I am conflicted with the manual when it states:

              "An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form."

              Such is the case in my text form.. its not being stored in a database (just sent via email).

              Perhaps the simplest question to this thread is this..
              how do I rewrite the following $_POST handling code snippet to be 'PHP 5 & 6 bulletproof' ?

              if(get_magic_quotes_gpc()){
   $_POST['textarea'] = stripslashes($_POST['textarea']);
}

              While I also seek the simple answer, I am also trying to understand the 'under the hood mechanics of it all'.

              Cheers,

              NRG

                This is why I'm confused. since you quoted that stripslashes() works independently of the magic_quotes_gpc setting, I am conflicted with the manual when it states:

                "An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form."

                stripslashes() works independently of magic_quotes_gpc in the same way that you can use explode() whether or not the PDO extension is enabled, or echo whether or not your server administrator likes bats. They simply are not related, when it comes to being able to use the PHP functions (or in the case of echo, language construct).

                Now, to undo the effect of magic_quotes_gpc, you can use stripslashes(). Likewise, to simulate the effect of magic_quotes_gpc, you can use addslashes(). Get the reasoning behind this?

                Consequently, if you want to silently undo the effects of magic_quotes_gpc if it is enabled, you can use get_magic_quotes_gpc() to check if it is enabled, and if so, undo the effects by using stripslashes().

                But, if you do not want to silently undo the effects of magic_quotes_gpc even if it is enabled, then you code assuming that it is disabled. For safety reasons, however, you still check the result of get_magic_quotes_gpc(), but this time to abort the script if it returns true.

                how do I rewrite the following $_POST handling code snippet to be 'PHP 5 & 6 bulletproof' ?

                It is already PHP5 and PHP6 compatible.

                  laserlight;10879513 wrote:

                  Now, to undo the effect of magic_quotes_gpc, you can use stripslashes(). Likewise, to simulate the effect of magic_quotes_gpc, you can use addslashes(). Get the reasoning behind this?

                  Ahhh now I understand.. here I was thinking that stripslashes() and magic_quotes_gpc was hand in hand in only the removal of slashes for quotes (as in, they both had to be used together to remove the slashes).. but now I do understand.. since magic_quotes_gpc is On (PHP 5) it automatically adds the slashes to quotes by default... (which is counter to what I was thinking).. so by checking if it is on (true), the stripslashes goes in and removes what the magic_quotes_gpc has put in the first place. Yes, I understand completely now..

                  laserlight;10879513 wrote:

                  Consequently, if you want to silently undo the effects of magic_quotes_gpc if it is enabled, you can use get_magic_quotes_gpc() to check if it is enabled, and if so, undo the effects by using stripslashes().

                  Which is in essence what I have done.

                  laserlight;10879513 wrote:

                  But, if you do not want to silently undo the effects of magic_quotes_gpc even if it is enabled, then you code assuming that it is disabled. For safety reasons, however, you still check the result of get_magic_quotes_gpc(), but this time to abort the script if it returns true.

                  Understood. Sorry bout all that.. it was my misunderstanding of magic_quotes_gpc in the first place which caused the root of all this.. My apologies.

                  Cheers,

                  NRG

                    Write a Reply...