Proper way to use get_magic_quotes_gpc and addslashes/stripslashes

[arianhojat]

I was wondering how you should get rid of/keep slashes when you get/post information.

Like to me the only reason to check all your POST/GET vars everytime at the beginning of your php page is to stripslashes() if get_magic_quotes_gpc is on, and add slashes back in your Insert/Select queries and leave them be when outputting to html.

 

$textDesc = (get_magic_quotes_gpc()) ? stripslashes($_GET['textDesc']) : $_GET['textDesc'];

$Query = "SELECT * FROM table WHERE description LIKE '%". addslashes($textDesc)."%'";

echo htmlspecialchars($textDesc);

 

Or do u add slashes from the start, like so...

 

$textDesc = (get_magic_quotes_gpc()) ? $_GET['textDesc'] : addslashes($_GET['textDesc']);

$Query = "SELECT * FROM table WHERE description LIKE '%". $textDesc."%'";

echo htmlspecialchars( stripslashes($textDesc) );

 

or it doesnt make a difference?

 

Thanks in advance!

Ari

 

//then run a SELECT query maybe here, like ... "SELECT * FROM table WHERE description LIKE '%$textDesc%'";

//then if inserting into database use addslashes() back on the variable

$textDesc = (get_magic_quotes_gpc()) ? $_GET['textDesc'] : addslashes($_GET['textDesc']);

 

 

But pretend on the previous page, there is a textbox and the user enters: John's car

Since there is a single qoute in that text, then it would add a slash to it and the Search would look like '%\'%'

 

"SELECT ... LIKE '%John's car%' ";

 

But if the user entered both single and double: "John's Car"

"SELECT ... LIKE '%\"John\'s Car\"%' ";

 

but i see on a few pages, even Dreamweaver 8 automatically adds this code to top of page

$textDesc = (get_magic_quotes_gpc()) ? $_GET['textDesc'] : addslashes($_GET['textDesc']);

//then run a SELECT query in Dreamweaver, like ... "SELECT * FROM table WHERE description LIKE '%$textDesc%'";