This is a little tricky / subtle. The form validator under the ‘prep_for_form’ function is running stripslashes regardless of the magic_quotes value.
First, it’s doing this on the raw POST permanently changing that value so that any further testing on it does not reflect the original submission. If it’s going to change a value it seems like the input->post() values would be a better choice so that POST is left in it’s filthy/untrustworthy/user submitted form (for people who need that
Second, it’s doing this on all values, not just the ones found to be invalid. This means that when a form repopulates slashes have been removed from all fields that had them and even those that might have been valid (multi-line text, etc). If the user doesn’t notice they could resubmit the changed value.
Third, it does this after it validates the entry. Meaning that it will validate eight slashes as having a minimum length of 8, but then reduce them to four slashes when ‘prep_for_form’ runs. This is tricky for any instance where an app could accept entries marked as valid and prompt only for the ones found invalid.
It’s late so I might be off on some of this