[SOLVED] strip slashes

[jaymc]

Ive just turned magic_quotes on via php.ini

 

as a result any time a " or ' is being inserted to the database its being parsed with a forwarding \

 

Perfect!

 

However, I have so many bits of information that does not have the stripslashes() function

 

Rather than add to every variable, is there anyway to make php remove the slashes after its been pulled from the database

 

Please advise

[Fadion]

Im explaining this with an example so u should have the idea:

 

$query = mysql_query("SELECT * FROM table");
$values = mysql_fetch_array($query);
$values = array_map('stripslashes', $values);

 

That should run stripslashes over all of the values of the array $values. Anyway the array $values may have a lot of data which will not even display, so it may slow a bit the proccess. Myself i use stripslashes for each variable i print.

 

Also about the magic_quotes_gpc, every php security article or book ive read tells that magic_quotes are evil lol. U could consider manually cleaning data, probably using the more secure mysql_real_escape_string then just staying relaxed and let the system make the hard work

[jaymc]

I guess I'll have to add it too each variable, optimization is the key !

 

Thanks though! Interesting workable approach

[rlindauer]

Why do you want magic_quotes on?

 

The slashes that php adds to your input is not suitable for inserting into MySQL. It is better to use a native solution, ie, mysql_real_escape_string. Even better, for portability, use a function to detect for magic_quotes and stripslashes accordingly.

 

<?php
function clean_string( $value, $DB )
{
if ( get_magic_quotes_gpc() )
{
	$value = stripslashes( $value );
}
// escape things properly
return mysql_real_escape_string( $value, $DB );
}
?>

 

According to php.net

http://us.php.net/manual/en/security.magicquotes.whynot.php it affects performance and portability.

 

PHP6 will also removing magic_quotes completely.