[PHP] Stripslashes help
I have a script which emails users from a website form, I have just run the script and got the following in the email A worm of many subjects \\\The Klez\\\ worm arrives in an e-mail message with one of 120 possible subject lines. There are 18 different standard subject headings, including \\\let\\ I have fixed this with stripslashes() but problem I am having is that If a ( ' ) is used in the email and I loose what ever is after ' Running php4.1.2 apache 2.0.36 RH 7.3 My script is $emailbody = stripslashes($_POST[body]); $emailbody = stripslashes($emailbody); $emailsub = stripslashes($_POST[subject]); $emailsub = stripslashes($emailsub); $message = To: From: x Subject: [] x - $emailsub BCC: ; $message .= \n$emailbody; $message .= \n -- ; In the form I typed This is a test this is a 'test' And what I got in the email was This is a test this is a Has anyone a few pointers as to what I am missing... Regards in advance --- Chris Kay Technical Support - Techex Communications Website: www.techex.com.au Email: [EMAIL PROTECTED] Telephone: 1300 88 111 2 - Fax: (02) 9970 5788 Address: Suite 13, 5 Vuko Place, Warriewood, NSW 2102 Platinum Channel Partner of the Year - Request DSL - Broadband for Business --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stripslashes help
Chris (nice name), Chris Kay wrote: A worm of many subjects \\\The Klez\\\ worm arrives in an e-mail Anytime you see three backslashes in a row, the likely case is the addslashes() has been performed twice. For example, the following two iterations: 1. The Klez - \The Klez\ 2. \The Klez\ - \\\The Klez\\\ (the \ is escaped as \\ and the is escaped as \) If your php.ini specifies that magic quotes are on, then that is likely the reason for one execution of stripslashes() that you might be overlooking. Otherwise, check your code carefully to ensure that you know when data has been escaped. A good habit is to use a strict naming convention to help you: $clean_data=stripslashes($data); I have fixed this with stripslashes() but problem I am having is that If a ( ' ) is used in the email and I loose what ever is after ' When you store this in the database, the single quote terminates the literal string: $data=It's hot in Memphis!; $sql_statement=insert into quotes values('$data');; echo $sql_statement; This will give you: insert into quotes values ('It's hot in Memphis!); As you can see, your string only consists of It at this point. $emailbody = stripslashes($_POST[body]); $emailbody = stripslashes($emailbody); Well, here's where you're executing stripslashes() twice. See above. My suggestion is to not try to get your message into a variable that can be used in an SQL query and be sent in an email. You want these to use two different formats. For the email, leave the single quotes as they are; you don't want to see the escaped quotes. For inserting into the database, make sure they are escaped with stripslashes(). Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Stripslashes help
Chris (or should I be addressing Chris :) ) Chris S - I think you're confusing stripslashes w/ addslashes, but everything else I'm an agreement w/. Chris K - Somewhere you've got addslashes twice. As mentioned, one of those might be in your php.ini file. That's why you need to stripslashes() twice... -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 09, 2002 1:54 PM To: Chris Kay Cc: PHP General List Subject: Re: [PHP] Stripslashes help Chris (nice name), Chris Kay wrote: A worm of many subjects \\\The Klez\\\ worm arrives in an e-mail Anytime you see three backslashes in a row, the likely case is the addslashes() has been performed twice. For example, the following two iterations: 1. The Klez - \The Klez\ 2. \The Klez\ - \\\The Klez\\\ (the \ is escaped as \\ and the is escaped as \) If your php.ini specifies that magic quotes are on, then that is likely the reason for one execution of stripslashes() that you might be overlooking. Otherwise, check your code carefully to ensure that you know when data has been escaped. A good habit is to use a strict naming convention to help you: $clean_data=stripslashes($data); I have fixed this with stripslashes() but problem I am having is that If a ( ' ) is used in the email and I loose what ever is after ' When you store this in the database, the single quote terminates the literal string: $data=It's hot in Memphis!; $sql_statement=insert into quotes values('$data');; echo $sql_statement; This will give you: insert into quotes values ('It's hot in Memphis!); As you can see, your string only consists of It at this point. $emailbody = stripslashes($_POST[body]); $emailbody = stripslashes($emailbody); Well, here's where you're executing stripslashes() twice. See above. My suggestion is to not try to get your message into a variable that can be used in an SQL query and be sent in an email. You want these to use two different formats. For the email, leave the single quotes as they are; you don't want to see the escaped quotes. For inserting into the database, make sure they are escaped with stripslashes(). Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stripslashes help
Martin Towell wrote: Chris S - I think you're confusing stripslashes w/ addslashes, but everything else I'm an agreement w/. You're absolutely right. *blush* Chris K - Ignore my last paragraph, and everything else should make at least partial sense. :-) Ignore this: Well, here's where you're executing stripslashes() twice. See above. My suggestion is to not try to get your message into a variable that can be used in an SQL query and be sent in an email. You want these to use two different formats. For the email, leave the single quotes as they are; you don't want to see the escaped quotes. For inserting into the database, make sure they are escaped with stripslashes(). Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php