|
|
Posted by Larry on 03/30/06 01:26
In article <6padnTLKopYz-LfZRVn-gw@comcast.com>, Jerry Stuckle <jstucklex@attglobal.net> wrote:
>Larry wrote:
>> OK, I've been searching around the net for numerous hours and seem to just be
>
>> getting more confused about handling special characters.
>>
>> In my host's configuration MagicQuotes is ON. (I understand this is
> considered
>> a bad thing by many)
>>
>> A user submitted an email in the form 'Bob Smith' <bob@nospam.com>
>> Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but
>
>> when I try to retrieve it with a standard query, it echo's or prints as Bob
>> Smith. I have the same problem with a store name containing a single
>> apostrophe. Obviously the single quote is stopping it, but how do I get past
>> that?
>>
>> Many thanks,
>> Larry L
>
>Larry,
>
>Single quotes are also used as a delimiter in SQL. But are you sure that's
> your
>problem? If you had mismatched quotes, I would expect you to get an error when
>
>you try to insert it into the database.
>
>Chances are the problem is in the display of the data. First of all, do you
> see
>it if you look at the page source in your browser? If the data is there, it's
>only a matter of handling the special characters - check out htmlentities().
>
>If the data is not there, you need to look at your code to see what happened.
>
>And BTW - your method is *very* insecure. It will easily turn your site into a
>
>spammers paradise. All one has to do is submit a form with another email
>address in the hidden field. Rather, save the primary key in the hidden field
>and retrieve the email address from the database when you send the email.
>
Thanks for the good advice, it didn't dawn on me until yesterday that I
could look at the source of the displayed page to see if the data was actually
there.
I think the mismatched quotes problem was handled by magicquotes being turned
on, as the single quote makes it into the MySQL database ok.
I do understand a little about how bad formmail scrips can be. It's not as bad
as it seems, however. Mine will not send an email to a supplied address, it
uses a code that the form supplies in a hidden field to determine which of 4
emails it will send to. That seems to me to be fairly safe, no?
Larry L
Navigation:
[Reply to this message]
|