I know and understand what magic quotes does, but have never written any of my scripts to check whether magic quotes is on or not; and if on stripslashes() .

I thought it was time that i do this check incase any of the scripts i create are used on a server that has magic quotes on. i sanitize user input myself and i find if magic quotes is on it's just problematic.

Problem i have is the understanding of checking if magic quotes is on and if so stripslashes().

I placed the below code above a script that contains a form that displays it on a webpage and also inserts it into a database.

if($_SERVER['REQUEST_METHOD'] == $_POST && ini_get('magic_quotes_gpc')) {

My form uses the $_POST method so i thought by adding this to the top of my script that all data sent by the post method will have slashes stripped if magic quotes is on. I delibrately turned magic quotes on, on my local machine but yet data is still being escaped by magic quotes.

Obviously my $_POST data is stored in variables with different variable names so i don't want to check each variable individually as this means altering all my code and having bloated code that is not needed.

Can someone please tell me what i need to be doing exactly to make all data that is sent by the $_POST method and have magic quotes on to strip slashes without having to alter all my code in my scripts. I see so many examples on the php.net website but can't seem to figure out why i can't get it to work with my own scripts.

So what i want to say to php is:

if magic quotes is on stripslashes from all $_POST data and $_GET data


...stripslashes($_POST); did you even bother to read the manual?
a. stripslashes expects a string NOT an array. $_POST is an array
b. it does NOT expect a reference. In other words, I had the following string in a variable $name="O\'malley"; then simply calling stripslashes($name); would not change the value of $name. You have to "receive" the value returned by stripslashes() and reassign it to $name: $name=stripslashes($name); On another note, what you are trying to do is already given at:


Thanks for replying.

I did read the manual and could not find what you have said above, but thanks anyway as i have used what the code that from the link you gave and it works great :)


I did read the manual and could not find what you have said above

Well, it's not stated in "plain english" as I stated above, but if you know how to read/interpret what's on the manual then you would make sense of it.

If you go to http://us3.php.net/manual/en/function.stripslashes.php you will see that the description is: string stripslashes ( string $str ) The left-most "string" indicates that the function returns a string value
The "string" within the parentheses states that what you pass to it should be a string

By contrast if you read he manual for implode (http://us3.php.net/manual/en/function.implode.php)

then you can see that it returns a string and the arguments can be either:
a string AND an array
just a an array