Page 1 of 1

unexpected escape characters in text email...

Posted: Tue Oct 14, 2003 12:58 pm
by ericbaze
I use PHP and MySQL for submission and processing of new account applications via our web site. The applications are submitted through HTML forms and PHP to a MySQL table, then the data is retreived similarly and sent as a plain text email to our customer service department.

For one reason or another, sometime's applicants need to use the single quote (') or apostrophe (`) -- examples would be Macy`s or D'Amelio. This is resulting in a problem -- the email converts D'Amelio to D\'Amelio and Macy`s to Macy\`s.

I've tried structuring the email content as both

$email_content1 = "Dear".$sirnm." ".$lname.",\n";

and

$email_content2 = "Dear $fname $lname,\n";

but I have the same result either way. The content of the MySQL table does show the text properly as D'Amelio. Also, I'm using a basic mail(); command with no specific headers in it.

My assumption is that it's one of three things -- a) I need to define the mail headers more specifically, b) I need to restructure the MySQL query, or c) I need to restructure my variables.

I understand that ', ", and ` are used by PHP to enclose strings, etc...

It would make sense if I got a variable error, or if (\') was converted to ('), since (') is reserved; however, why would is convert (') to (\')?

Wouldn't that be like a line break being converted to (\n), rather than (\n) being converted to a line break?

Does anyone have an idea as to how I can correct this?

Thanks,

Eric Baze, Creative Specalist
ConferenceCall.com
ebaze@conferencecall.com

Posted: Tue Oct 14, 2003 2:08 pm
by volka
what does

Code: Select all

<?php phpinfo(); ?>
say about magic_quote?

Posted: Tue Oct 14, 2003 2:19 pm
by ericbaze
What am I lookin for within the phpinfo page? I've read through it an nothing stands out that seems appropriate.

Thanks,

Eric

Posted: Tue Oct 14, 2003 3:15 pm
by Gen-ik
This might be a dumb thing to ask but after you've got the info from the database are you using strip_slashes() on it before you dump it into the email?

For example.....

Code: Select all

<?php
// $TEXT is some text from the database

$body = "Hello.\n\n";
$body.= strip_slashes($TEXT)."\n\n";
$body.= "Goodbye.";

mail($to, $subject, $body, $headers);
?>

Posted: Tue Oct 14, 2003 3:23 pm
by ericbaze
I'll give that a try, but I don't think "strip_slashes" will have an effect. Example, D'Amelio still appears as D'Amelio in the database; however, it becomes D''Amelio in the email.

Is it possible I need to specify more encoding information in the $headers variable for the mail(); command?

Posted: Tue Oct 14, 2003 3:45 pm
by Gen-ik
If your viewing the database using something like PHPMyAdmin then the info displayed will be striped of slashes anyway..... this doesn't mean that the actual data in the database is void of any \ characters.

What you see on the page and what the actual database info looks like can, and normally will, vary.

Posted: Tue Oct 14, 2003 3:52 pm
by twigletmac
The conversion to '' is happening when the form is posted, if you retrieved the data from the database the slashes are gone (but they are needed for the data to go in), however, if you use POSTed data in your e-mails you need to use stripslashes() on it before it is added to the message.

Mac

Posted: Tue Oct 14, 2003 6:10 pm
by volka

Code: Select all

<?php phpinfo(); ?>
should display the settings for magic_quotes_gpc
http://php.net/manual/en/ref.info.php#i ... quotes-gpc

if no magic quoting is in effect the GET/POST parameters are passed as is.
try this simple script

Code: Select all

<html>
	<body>
		<pre>user input: <?php	print_r(@$_POST['text']); ?></pre>
		<form method="post">
			<input type="text" name="text" /><input type="submit" />
		</form>
	</body>
</html>
input a'b and submit the form.
If it displays a''b then magic_quote_.. is On.

You should always be aware of the state of magic_quote and wether your script depends on it, e.g. take this query

Code: Select all

<?php
$query = "SELECT fieldnameA FROM tablename WHERE fieldnameB='$_POST[userinput]'";
assume the user typed a'b into the field and submits the form.
If magic_quote is disabled $query will evaluate to SELECT fieldnameA FROM tablename WHERE fieldnameB='a'b' which is not good since it will cause an error if passed to the database.
If magic_quote is enabled $query will evaluate to SELECT fieldnameA FROM tablename WHERE fieldnameB='a''b' which is better since the database will recognize 'a''b' as one string literal ('' does not end the literal)
Personally I do not like magic_quote because I have to test wether it is enabled or disabled in every script. And there's nothing wrong with data containing ', " or \0 ; only some components need special treatment for those characters and they should take care of it themself (like mysql_escape_string() or even better parameterized queries)

Posted: Wed Oct 15, 2003 11:03 am
by ericbaze
stripslashes(); fixed the problem!

$raw = "foo";
$content = stripslashes($raw);

Thanks,

Eric