Posted by Jerry Stuckle on 03/30/06 02:16

Larry wrote:
> In article <6padnTLKopYz-LfZRVn-gw@comcast.com>, Jerry Stuckle <jstucklex@attglobal.net> wrote:
>
>>Larry wrote:
>>
>>>OK, I've been searching around the net for numerous hours and seem to just be
>>
>>>getting more confused about handling special characters.
>>>
>>>In my host's configuration MagicQuotes is ON. (I understand this is
>>
>>considered
>>
>>>a bad thing by many)
>>>
>>>A user submitted an email in the form 'Bob Smith' <bob@nospam.com>
>>>Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but
>>
>>>when I try to retrieve it with a standard query, it echo's or prints as Bob
>>>Smith. I have the same problem with a store name containing a single
>>>apostrophe. Obviously the single quote is stopping it, but how do I get past
>>>that?
>>>
>>>Many thanks,
>>>Larry L
>>
>>Larry,
>>
>>Single quotes are also used as a delimiter in SQL. But are you sure that's
>>your
>>problem? If you had mismatched quotes, I would expect you to get an error when
>>
>>you try to insert it into the database.
>>
>>Chances are the problem is in the display of the data. First of all, do you
>>see
>>it if you look at the page source in your browser? If the data is there, it's
>>only a matter of handling the special characters - check out htmlentities().
>>
>>If the data is not there, you need to look at your code to see what happened.
>>
>>And BTW - your method is *very* insecure. It will easily turn your site into a
>>
>>spammers paradise. All one has to do is submit a form with another email
>>address in the hidden field. Rather, save the primary key in the hidden field
>>and retrieve the email address from the database when you send the email.
>>
>
>
> Thanks for the good advice, it didn't dawn on me until yesterday that I
> could look at the source of the displayed page to see if the data was actually
> there.
>
> I think the mismatched quotes problem was handled by magicquotes being turned
> on, as the single quote makes it into the MySQL database ok.
>
> I do understand a little about how bad formmail scrips can be. It's not as bad
> as it seems, however. Mine will not send an email to a supplied address, it
> uses a code that the form supplies in a hidden field to determine which of 4
> emails it will send to. That seems to me to be fairly safe, no?
>
> Larry L

Larry,

Yes, that should be quite safe.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: a clue (?)
• Prev in forum: Any efficiency difference between fopen() etc. and file()?
• Thread view: Re: Retrieving special characters

[Reply to this message]