PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Why are you using mysql_real_escape_string() when you're not putting the data in MySQL (from what we see)? That will add backslashes all over the place.
you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();
$var wrote:you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();
That str_replace() simply prevents injection attacks because a dot on a line by itself terminates the SMTP DATA process and fires the message. Dots at the start of an exisiting line are stripped so ".." becomes "." in the final email. You still need nl2br().
i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
$var wrote:i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
Yes leave it in. Allowing dots is less dangerous than allowing any of [<>;\r\n] in headers. It simply gives someone the opportunity to cut the communication with the MTA short. It may also be completely harmless on some linux servers depending upon the sendmail_path flags. Better safe than sorry though.