When I first started with PHP, I was working on a server with Magic Quotes turned on. Fine, I was new and it probably saved a lot of trouble in those early days. But now I feel experienced enough to get by without it, and I now have the opportunity to develop sites on a host where I can turn off magic quotes if I like. So I figured I'd go for it.

My question is, for security and/or convenience purposes, when do I need to addslashes to user input, and when do I need to stripslashes?

I do know I need to use mysql_real_escape_string on anything I plan to use in a database query. But say I don't need to use a database. In the following scenario, what do I need to do with slashes?

1. Accept a bunch of user input
   
2. Do a lot of processing with PHP
   
3. Display the data to the user again

Do I need to add slashes at all under these circumstances since a database isn't involved? My concern is that a malicious user might be able to inject PHP code through a form or other input methods that would allow unauthorized access to the server. For instance, I think I remember seeing an example once of a PHP script with a security hole that would have allowed a hacker to enter PHP code into a form field and delete a website's root directory. Obviously I don't want that to happen! ;)

So again, if ALL I'm doing is processing the data with PHP and re-displaying it to the user, what do I need to do with adding or removing slashes if magic quotes are turned off?

Thanks in advance,

Matthew