[thelist] PHP_SELF / Contact Form

DAVOUD TOHIDY dtohidy at hotmail.com
Thu Aug 5 09:15:34 CDT 2010

> From: moseley at hank.org
> Date: Wed, 4 Aug 2010 13:27:45 -0700
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] PHP_SELF / Contact Form

> Yes, stop digging yourself into a hole. ;)
> If you followed the advice weeks earlier then you would just:
> 1) never escape the data on input.
> 2) use the correct escape method when using that data.
> (Meaning using bind parameters when writing to the database, and html
> escaping when rendering to, eh, html)
> And 3) I'd probably just use <pre> (or maybe white-space:pre) to render the
> text as the user entered it if that's important.  Or render it again in the
> text area, which is what you probably want in this case.
> Simple approaches are best.
> I'd also search for a PHP template engine to avoid mixing markup and php
> code. (But, maybe with PHP markup does belong on the code??)
> -- 
> Bill Moseley
> moseley at hank.org
> -- 

I appreciate the suggestions Bill. 

I did however finally solved the problem so for now I have:

if (get_magic_quotes_gpc())
  $message = stripslashes($message);
$message = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['message']))));

$message = str_replace( array('\r\n', '\r', '\n'), chr(13), $message );

The trick is that I needed to use the str_replace with the single quote array like: array('\r\n', '\r', '\n')  and char(13) AFTER mysql_real_escape_string as shown above.

I hope that will help someone to save some hours.

This solved it and I am now tackling the next issue :). Stay tuned for the new questions!


More information about the thelist mailing list