Page 1 of 1
mail output question
Posted: Mon Apr 16, 2007 11:13 am
by $var
hello,
i am making a simple mailing form with a textbox named 'body'
however, i can't seem to get the text to format:
Code: Select all
$bodyescape = mysql_real_escape_string($_POST["body"]);
$bodybreaks = nl2br($bodyescape);
$msgbody = $bodybreaks;
do these not work when sent through the mail code?
is there anything that i can do to take text from the 'body' and allow for linebreaks and quotes?
Posted: Mon Apr 16, 2007 4:39 pm
by feyd
Where does $msgbody go after this?
Posted: Tue Apr 17, 2007 8:38 am
by $var
$msgbody is being sent within the parameters of the mail tag.
Code: Select all
mail($email, $subject, $msgbody, $headers);
the complete code looks like this
Code: Select all
$email = $mailresults["list_email"];
$subject = $_POST["subject"];
$bodyescape = mysql_real_escape_string($_POST["body"]);
$bodybreaks = nl2br($bodyescape);
$msgbody = $bodybreaks;
$msgbody .= "To unsubscribe visit: http://www.dikwear.com/mailinglist_unsu ... list_email";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: Dikwear.com <info@dikwear.com>\r\n";
mail($email, $subject, $msgbody, $headers);
Posted: Tue Apr 17, 2007 9:27 am
by Chris Corbyn
Why are you using mysql_real_escape_string() when you're not putting the data in MySQL (from what we see)? That will add backslashes all over the place.
Posted: Tue Apr 17, 2007 10:11 am
by $var
you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();
$bodybreaks = str_replace("\n.", "\n..", $_POST["body"]);
however, nothing happens. i still get the message all in one line, like so:
where i entered
Posted: Tue Apr 17, 2007 10:14 am
by Chris Corbyn
$var wrote:you know, it is! so i took it out, no commas anymore, thanks.
also, i looked through the mail documentation, and found that i should be using str_replace(); instead of nl2br();
$bodybreaks = str_replace("\n.", "\n..", $_POST["body"]);
however, nothing happens. i still get the message all in one line, like so:
where i entered
That str_replace() simply prevents injection attacks because a dot on a line by itself terminates the SMTP DATA process and fires the message. Dots at the start of an exisiting line are stripped so ".." becomes "." in the final email. You still need nl2br().
Posted: Tue Apr 17, 2007 10:42 am
by $var
i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
Posted: Tue Apr 17, 2007 12:02 pm
by Chris Corbyn
$var wrote:i think it's all working properly.
i need to find out more about these injection attacks, they sound dangerous, and violating.
should i leave the str_replace in?
Yes leave it in. Allowing dots is less dangerous than allowing any of [<>;\r\n] in headers. It simply gives someone the opportunity to cut the communication with the MTA short. It may also be completely harmless on some linux servers depending upon the sendmail_path flags. Better safe than sorry though.