Sourcebench - the web developer’s workplace

Make your code portable - regardless of magic_quotes setting. Remove all nasty slashes on request. No recursion used. Called once on top of script. This snippet will make your life much more easier. You won't have to worry about extra slashes added magically to your data. You will not have to worry of your code working on localhost only to find out it goes crazy when deployed on live host. Code is not using recursion and is stripping all slashes added by magic_quotes setting - if setting is enabled of course. Initially this setting was placed in php to help new php developers prevent sql injections. But hay, we are pros here ;) magic_quotes has two major drawbacks: - modifies your data prior the request (before $_POST, $_GET is created)..and not when you actually you use it in database context. - it simply makes addslashes() and we all know this is not enought to prevent slq injection. The least to be..that it doesn't take into consideration database connection encoding. Once you use this you should take care of true sql injection prevention but thats whole new topic, so stay tuned devs :) (via )

if (get_magic_quotes_gpc()) {
 
    $in = array(&$_GET, &$_POST, &$_COOKIE);
 
    while (list($k,$v) = each($in)) {
 
        foreach ($v as $key => $val) {
 
            if (!is_array($val)) {
 
                $in[$k][$key] = stripslashes($val);
 
                continue;
 
            }
 
            $in[] =& $in[$k][$key];
 
        }
 
    }
 
    unset($in);
 
}

This entry was posted on Friday, October 12th, 2007 at 3:56 pm and is filed under php. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.