On Fri, Feb 29, 2008 at 2:18 PM, VanBuskirk, Patricia
<[EMAIL PROTECTED]> wrote:
> Someone from this list (sorry I cannot remember the name), a while back, gave
> me the following function to use to get rid of unwanted characters coming in
> on forms:
>
> function convert_smart_quotes($string)
> {
> $search = array(chr(145),
> chr(146),
> chr(147),
> chr(148),
> chr(151),
> "#",
> ";",
> "[",
> "]",
> "{", // Note the missing "}" closing
> curly bracket here
> "<",
> ">",
> "=",
> "URL=http://";);
Above, there are only 14 search terms, but below, there are 15
replace terms. Below the line I commented, add:
"}",
> $replace = array("'",
> "'",
> '"',
> '"',
> "-",
> "number",
> ",",
> "",
> "",
> "",
> "",
> "",
> "",
> "equals",
> "");
> return str_replace($search, $replace, $string); }
[snip!]
> 2. "New " VM Tree Greeting 1- Need NEW DN for this!!! (Please coordinate
> with Suzanne for recordings).
See the parentheses above? I'll bet dollars to donuts that's your
killswitch. See my updated arrays at the end of this email.
[snip!]
> Also, we are getting back for example "I\'m hoping..." Somehow the slashes
> are coming through in the field and in the emails. I am not even sure what
> is putting them in, as I don't see that in the replace function.
There's either an addslashes() function somewhere or a missing
stripslashes().
Prior to inserting the data into the database, you should sanitize
it using mysql_real_escape_string(). So, for example, if your SQL
query looks like this:
$body = convert_smart_quotes($string);
$sql = "INSERT INTO email(body) VALUES($body)";
It should be changed to:
$body = mysql_real_escape_string(stripslashes(convert_smart_quotes($string)));
$sql = "INSERT INTO email(body) VALUES($body)";
And if that's not fixing the error for emails being sent, then
find where the mail() function resides and replace the message body
variable with something similar to:
$message = stripslashes($message);
Finally, the new arrays (rewritten function) I promised.
function convert_smart_quotes($string) {
$search = array(chr(145),
chr(146),
chr(147),
chr(148),
chr(151),
"#",
";",
"[",
"]",
"{",
"}",
"(",
")",
"!",
"<",
">",
"=",
"URL=http://";);
$replace = array("'",
"'",
'"',
'"',
"-",
"number",
",",
"",
"",
"",
"",
"",
"",
".",
"",
"",
"",
"equals",
"");
return str_replace($search,$replace,$string);
}
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
