Preventing bugs in PHP : stripslashes

To prevent code injection, most PHP code has magic_quotes_gpc = On. For more than one reason this bad and introduces a lot of (difficult to debug) problems in large code bases. So it is better to switch that off from the get go.

If you do not have permission to switch that off (like on a lot of free hosting services), you can call the following code before doing anything else.


if(get_magic_quotes_gpc()) {
foreach($_REQUEST as $k=>$v) {
$_REQUEST[$k] = stripslashes($v);
}
foreach($_POST as $k=>$v) {
$_POST[$k] = stripslashes($v);
}
foreach($_GET as $k=>$v) {
$_GET[$k] = stripslashes($v);
}
}

Ofcourse do not forget to escape stuff that goes into your database!

Be the first to leave a comment. Don’t be shy.

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>