Stuck with html entity issue

[zimmo]

A client has asked us to not allow certain characters to be parsed through the email form we have.

 

Can someone please help as this is beyond me.

 

For example. The form allows someone to enter the following (this is what they do not want)

 

Name: <&lt>&gt"&quot& &amp''

Company_Name: <&lt>&gt"&quot& &amp''

Telephone: <&lt>&gt"&quot& &amp''

Email: <&lt>&gt"&quot& &amp''

Web_Site_Comments: <&lt>&gt"&quot& &amp''

 

As you can see the characters:

<

&lt

&gt etc.. are being allowed via the form.

 

They basically are telling me that we need to NOT allow this.

 

Here is the code for my email form

 

<?
//# Include the connections script to make a database connection.

include("inc/connect.inc");

$parts = parse_url(strip_tags(rawurldecode('http://' .  
$_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'])));


//# The form should post to itself.


//# The form should post to itself.
// clean out any malicious data
foreach ($parts as $k => $v) {
$v = strip_tags(rawurldecode($v));
if (get_magic_quotes_gpc() == 1) {
  $parts[$k] = $v;
}else{
  $parts[$k] = addslashes($v);
}
}


//# The form should post to itself.

if ( $_POST['submit'] ) {

require('inc/removexss.php');
$_POST = array_map('removeXSS', $_POST);
$valid = 1;

//# The fields all follow this patern.
//# If you do not require an error check for a field then just use the
//# post field method and not the error check method

$producta = $_POST['producta'];

$Name = $_POST['Name'];
if ( empty($Name) ) {
$valid = 0;
$Name_error = 'Please Enter your Name';
}

$Company_Name = $_POST['Company_Name'];
if ( empty($Company_Name) ) {
$valid = 0;
$Company_Name_error = 'Please Enter your Company Name';
}

$Telephone = $_POST['Telephone'];
if ( empty($Telephone) ) {
$valid = 0;
$Telephone_error = 'Please Enter your Telephone Number';
}

$Email = $_POST['Email'];
$Web_Site_Comments = $_POST['Web_Site_Comments'];

// End of error checking.

if ( $valid == 1 ) 
{
      // In testing, if you get an Bad referer error
      // comment out or remove the next three lines
      if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 ||
         !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
         die("Bad referer");
      $msg="Enquiry Form.:\n\n";
      foreach($_POST as $key => $val){
         if (is_array($val)){
            $msg.="Item: $key\n";
            foreach($val as $v){
               $v = stripslashes($v);
               $msg.="$v\n";
            }
         } else {
            $val = stripslashes($val);
            $msg.="$key: $val\n";
         }
      }
      $recipient="*****";
      $subject="Enquiry Form";
      error_reporting(0);
      if (mail($recipient, $subject, $msg)){
         echo nl2br($input);
      } else
         echo "An error occurred and the message could not be sent.";

header("Location: thanks.php");
exit;
}
}
?>

 

Please is there a way to STOP these characters going via email.

[zimmo]

Someone said to try the following:

 

$Web_Site_Comments = strip_tags(htmlentities($_POST['Web_Site_Comments']));

 

ut it is still allowing the code through via email. Where am I going wrong?

 

I enterted the following in the box:

 

<&lt>&gt"&quot& &amp''

 

And it came via email fine... how can I stop this. This is asap please...

 

 

[unkwntech]

Try this

<?php
$remove = array('<', '>', '&gt', '&quot', '&', '&amp''); //List whatever you would like to remove
$text = preg_replace($remove, '', $text);
?>