Posted by Kimmo Laine on 03/29/06 14:06

"Larry" <noway@none.com> wrote in message
news:V0tWf.18925$%d.8259@tornado.socal.rr.com...
> In article <YhqWf.216$5g7.95@reader1.news.jippii.net>, "Kimmo Laine"
> <spam@outolempi.net> wrote:
>>"Larry" <noway@none.com> wrote in message
>>news:tynWf.16641$w86.1083@tornado.socal.rr.com...
>>> OK, I've been searching around the net for numerous hours and seem to
>>> just
>>> be
>>> getting more confused about handling special characters.
>>>
>>> In my host's configuration MagicQuotes is ON. (I understand this is
>>> considered
>>> a bad thing by many)
>>>
>>> A user submitted an email in the form 'Bob Smith' <bob@nospam.com>
>>> Now when I look in the MySql database (via PhpMyAdmin) it's exactly
>>> that,
>>> but
>>> when I try to retrieve it with a standard query, it echo's or prints as
>>> Bob
>>> Smith. I have the same problem with a store name containing a single
>>> apostrophe. Obviously the single quote is stopping it, but how do I get
>>> past
>>> that?
>>
>>
>>In HTML <bob@nospam.com> will be concidered as a tag, nonsense tag since
>>it's not really a tag but the <> make html think it is, therefor it's
>>hidden. To fix it, special chars need to be converted to format where html
>>does not concider them as control characters such as tag delimiters. There
>>is a function that does this conversion called htmlspecialchars.
>>
>>Try something like:
>>echo htmlspecialchars("'Bob Smith' <bob@nospam.com>");
>>
>>http://php.net/htmlspecialchars
>>
>
> Actually I am placing the value into a hidden form field that's then
> emailed
> via a formmail program.
>
> echo("<input type='hidden' name='my_email' value='$email'>");


Please please please concider an alternative solution! Form mail scripts
like that are very potential spam relays, especially the Formmail from Matts
Script Archive is the most classic exploited script. Do yourself and
everyone else a favor and study a bit how such solutions get exploited.
Basicly spammers replace the value with another email address and send their
own shit using your script.

http://www.google.com/search?hl=en&q=formmail+spam+relay+exploit&btnG=Google+Search
http://rickconner.net/spamweb/spam_formmail.html

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirvi�
spam@outolempi.net | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)

• Next in forum: Re: PhP database design question
• Prev in forum: Re: PhP database design question
• Thread view: Re: Retrieving special characters

[Reply to this message]