开发者

Stripslashes() not working in email

开发者 https://www.devze.com 2023-03-19 06:04 出处:网络
Right now I\'m trying to make an email notification whenever somebody submits a comment going into a database. I\'m using mysql_real_escape_string() to protect against injections and I\'m trying to st

Right now I'm trying to make an email notification whenever somebody submits a comment going into a database. I'm using mysql_real_escape_string() to protect against injections and I'm trying to strip the slashses off the name, email, and comment when they are sent in the email notification. The database entry code is commented out, as I don't want there to be an entry made every time I test the email system.

The email is sent just fine, however stripslashes() is not working properly. For example, if the message is "Can't wait!" the email will have "Comment: Can\'t wait!". This is strange to me because when I have the comments displayed on the page, stripslashses works fine.

Is this because I'm not applying stripslashes() to data not coming directly out of the database?

$li = mysql_connect($dbHost, $dbUser, $dbPass) or die("Could not connect");
    mysql_select_db($dbDatabase, $li) or die ("could not select DB"); 

    $name = mysql_real_escape_string($HTTP_POST_VARS["name"]);
    $email = mysql_real_escape_string($HTTP_POST_VARS["email"]);
    $comment = mysql_real_escape_string($HTTP_POST_VARS["comment"]);
    $date = Date("Y-m-d h:i:s");
    /*
    $gb_query =     "insert into entries
            values(0, '$name', '$email', '$comment', '$date')";

    mysql_query($gb_query);
    $res = mysql_affected_rows();

    // See if insert was successful or not
    if($res > 0) {

    $ret_str="Your guestbook entry was successfully added!";*/
        $name2=strips开发者_开发百科lashes($name);
        $email2=stripslashes($email);
        $comment2=stipslashes($comment);
        $subject = 'New Guestbook Entry Has been Added!';
        $message = "Name:  $name2\nEmail:  $email2\nComment:  $comment2";
        $to = "chetg329@yahoo.com";
        mail($to, $subject, $message);
        //header('Location: guestbook.php?ps=1');
    //exit(); // End the request
    /*  
    } else {
        $ret_str = "There was a problem with your guestbook entry. Please try again.";
    }

    // Append success/failure message
    $gb_str .= "<span class=\"ret\">$ret_str</span><BR>";*/
    mysql_close();


My guess is that the problem lies within magic_quotes. I would take a look at your php.ini and see if you can turn it off (pending you are not relying on it to prevent SQL Injection). If you cannot access the php.ini to turn it off PHP provides a method for you to test it and act accordingly (IE stripslashes on the data before escaping it with mysql_real_escape_string ) It is called get_magic_quotes_gpc

Alternatively, why are you using mysql_real_escape_string on data that is not being inserted into the database? If you do insert it later on, then move those calls till after the mail call.

0

精彩评论

暂无评论...
验证码 换一张
取 消