Should I always use stripslashes for _POST _GET and _COOKIE variables

Question

I'm really confused when I read about the function get_magic_quotes_gpc() in PHP.

Everywhere it's said that the function is deprecated (example).

But what is the default behaviour in PHP 5.3? I used to check, if magic_quotes_gpc in on and stripped all slashes if that was the case, right at the beginning of my script for all POST, GET and COOKIE variables, so that I don't get confused.

But if I shouldn't check for added slashes using get_magic_quotes_gpc(), always removing slashes would result in wrong data, if no slashes are added by PHP 5.3.

I have the same confusion with this

At the moment magic_quotes_gpc is on on my server (PHP 5.2.17), so I need to remove the slashes. But how should I handle this to be prepared for future PHP versions?

Can I somehow set the default values in future during the runtime at the beginning of my script? But what are the default values?

Answer 1

The get_magic_quotes_gpc function isn't deprecated, it's the magic_quotes_gpc config setting that's deprecated.

The solution is to not use the magic_quotes_gpc config setting on your own server, but also use get_magic_quotes_gpc if you want to write robust code that will run on servers that do have the deprecated magic_quotes_gpc setting turned on.

In other words:

• Turn off magic_quotes_gpc in your config.
• Wherever you currently use stripslashes, change it to only call stripslashes if get_magic_quotes_gpc() == 1.