StripSlashes
stripslashes is a common PHP function used to remove the backslash character from a string. It's companion is addslashes.
addslashes adds slashes to a variable. It does this to escape quotes. So for example if you have a string:
Geeklog's API functions are rich and varied.
After a call to addslashes you will have
Geeklog\'s API functions are rich and varied.
Slashes are also automatically added to the contents of a GET, POST or COOKIE value if the Magic Quotes GPC flag is set to true on your PHP instance. For example, if you submit a form with the first example above, when you examine the contents of that field server side you will get the second string despite not having done an addslashes in your code. But, only if Magic Quotes GPC is enabled on that server.
Now, when saving text into the database we use SQL, the ' character delimits a string within a SQL, so we must addslashes to a variable (that has not already had an addslashes) before using it in a SQL string. This will mean that if we retrieve a value from the database we're going to need to do a stripslashes to get it back to normal.
Geeklog has a lot of code. It handles a lot of form posts and database save and load commands. The values fetched from the POST/GET/COOKIE arrays or from the database are passed in and out of numerous functions. Some of these expect non-escaped strings. Others expect escaped strings.
It currently appears to be a common source of bugs that addslashes and stripslashes are called needlessly.
It's also important to note that Geeklog has a function COM_stripslashes that calls stripslashes on the suppied variable if and only if Magic Quotes GPC is enabled.
I suggest the following guidelines for using these functions:
- On loading from $_GET, $_POST or $_COOKIE call COM_StripSlashes immediately. This will only do a stripslashes if the Magic Quotes GPC flag is set in the PHP instance. Do
work in progress, got called away, sorry
