mail output question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

mail output question

Post by $var »

hello,

i am making a simple mailing form with a textbox named 'body'
however, i can't seem to get the text to format:

Code: Select all

$bodyescape = mysql_real_escape_string($_POST["body"]);
$bodybreaks = nl2br($bodyescape);
$msgbody = $bodybreaks;

do these not work when sent through the mail code?
is there anything that i can do to take text from the 'body' and allow for linebreaks and quotes?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Where does $msgbody go after this?
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

$msgbody is being sent within the parameters of the mail tag.

Code: Select all

mail($email, $subject, $msgbody, $headers);
the complete code looks like this

Code: Select all

$email = $mailresults["list_email"];	
		$subject = $_POST["subject"];

		$bodyescape = mysql_real_escape_string($_POST["body"]);
		$bodybreaks = nl2br($bodyescape);

		$msgbody = $bodybreaks;
		$msgbody .= "To unsubscribe visit: http://www.dikwear.com/mailinglist_unsu ... list_email";
		
		$headers  = "MIME-Version: 1.0\r\n";
		$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
		$headers .= "From: Dikwear.com <info@dikwear.com>\r\n";
		
		mail($email, $subject, $msgbody, $headers);
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Why are you using mysql_real_escape_string() when you're not putting the data in MySQL (from what we see)? That will add backslashes all over the place.
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();

$bodybreaks = str_replace("\n.", "\n..", $_POST["body"]);

however, nothing happens. i still get the message all in one line, like so:
test test' test" To unsubscribe visit: http://www.dikwear.com/mailinglist_unsubscribe.php
where i entered

Code: Select all

test 

test' 

test"
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

$var wrote:you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();

$bodybreaks = str_replace("\n.", "\n..", $_POST["body"]);

however, nothing happens. i still get the message all in one line, like so:
test test' test" To unsubscribe visit: http://www.dikwear.com/mailinglist_unsubscribe.php
where i entered

Code: Select all

test 

test' 

test"
That str_replace() simply prevents injection attacks because a dot on a line by itself terminates the SMTP DATA process and fires the message. Dots at the start of an exisiting line are stripped so ".." becomes "." in the final email. You still need nl2br().
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

$var wrote:i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
Yes leave it in. Allowing dots is less dangerous than allowing any of [<>;\r\n] in headers. It simply gives someone the opportunity to cut the communication with the MTA short. It may also be completely harmless on some linux servers depending upon the sendmail_path flags. Better safe than sorry though.
Post Reply