[thelist] PHP_SELF / Contact Form
DAVOUD TOHIDY
dtohidy at hotmail.com
Thu Aug 5 09:15:34 CDT 2010
> From: moseley at hank.org
> Date: Wed, 4 Aug 2010 13:27:45 -0700
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] PHP_SELF / Contact Form
> Yes, stop digging yourself into a hole. ;)
>
> If you followed the advice weeks earlier then you would just:
>
> 1) never escape the data on input.
> 2) use the correct escape method when using that data.
> (Meaning using bind parameters when writing to the database, and html
> escaping when rendering to, eh, html)
>
> And 3) I'd probably just use <pre> (or maybe white-space:pre) to render the
> text as the user entered it if that's important. Or render it again in the
> text area, which is what you probably want in this case.
>
>
> Simple approaches are best.
>
> I'd also search for a PHP template engine to avoid mixing markup and php
> code. (But, maybe with PHP markup does belong on the code??)
>
>
> --
> Bill Moseley
> moseley at hank.org
> --
I appreciate the suggestions Bill.
I did however finally solved the problem so for now I have:
if (get_magic_quotes_gpc())
{
$message = stripslashes($message);
}
$message = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['message']))));
$message = str_replace( array('\r\n', '\r', '\n'), chr(13), $message );
The trick is that I needed to use the str_replace with the single quote array like: array('\r\n', '\r', '\n') and char(13) AFTER mysql_real_escape_string as shown above.
I hope that will help someone to save some hours.
This solved it and I am now tackling the next issue :). Stay tuned for the new questions!
Cheers
davoud
More information about the thelist
mailing list