ShoutBox user reported a problem with slashes appearing in their posted messages. The user claims if they change my sanitizing line from $myts->addSlashes($field) to $myts->stripSlashesGPC($field) then everything works as it should.

It appears to me that $myts->displayTarea must not remove slashes that were added by magic_quotes_gpc. Correct me if I'm wrong.

My question is to cover for both states of magic_quotes_gpc would the proper sanitizing line be:

before storing $form_field in the database table?

Thanks in advance.

These are the two functions from myts:
So, they take both already in account for the magic quotes.
AFAIK, it is sufficient to use only the $myts->addSlashes function before storing a form value to the database.
For displaying it depends on the origin of the data: from the database it can be displayed as it is. If it is from the form (GPC) then it has to pass the stripSlashesGPC.
If it is a variable submitted to $myts->addSlashes, then it should be processed by the PHP (!) function stripslashes.
It is very important to know in every step of the program the condition of the variables, and not to repeat any of the conversions, because this will have a data change as a result.

displayTarea does nothing with stripslashes and assume a clean variable. previewTarea assumes a (GPC) variable and does a stripSlashesGPC.

thanks for your help ghia

Now, I read that there are CSV files used as 'database' in Shoutbox. When I referred in my previous post to database, you should read MySQL database.
For other databases, different rules apply.
I think for CSV, if there is anything to do, the quotes has to be doubled in stead of slashed. It depends on the implementation of the read/write functions if such manipulations must be done by hand or are ready implemented.
Anyway it is best to start always from a clean variable.
You have to do nothing special if you use the CSV functions from PHP: fgetcsv, fputcsv and str_getcsv.

I have been doing some more reading about text sanitizing. For the next release of Video Tube I want to clean up the debug deprecated messages caused by $myts->makeTboxData4Save useage.

I am not sure if I should just change from $myts->makeTboxData4Save to $myts->addslashes. Some articles I have been reading recommend the use of mysql_real_escape_string instead of addslashes. I would like to hear your thoughts.