Jump to content

strip_tags not working properly

elite311

By elite311
in PHP Coding Help

 Share

Recommended Posts

elite311 Member

elite311

Posted
Posted

Hi, I'm having problems with a PHP mail handler and everything seems to be working fine except I get slashes in the message body from the form. If my input is "Please don't delete this" I get "Please don/'t delete this" in the message body, however it is striping the other tags. I'm not sure what is wrong and was hoping for a bit of help to figure this out.

 

Here is the code:

<?php
$owner_email = $_POST["owner_email"];
$headers = 'From:' . $_POST["email"];
$subject = 'Website contact inquiry from ' . $_POST["name"];
$messageBody = "";

$messageBody .= '<p>------------------ Contact Details ------------------' . '</p>' . "\n";		
$messageBody .= '<p>Name: ' . $_POST["name"] . '</p>' . "\n";
$messageBody .= '<p>Email Address: ' . $_POST['email'] . '</p>' . "\n";
$messageBody .= '<p>Phone Number: ' . $_POST['phone'] . '</p>' . "\n";
$messageBody .= '<p>----------------------------------------------------------' . '</p>' . "\n";	
$messageBody .= '<br>' . "\n";
$messageBody .= '<p>' . $_POST['message'] . '</p>' . "\n";

if($_POST["stripHTML"] == 'true'){
	$messageBody = strip_tags($messageBody);
}

try{
	if(!mail($owner_email, $subject, $messageBody, $headers)){
		throw new Exception('mail failed');
	}else{
		echo 'mail sent';
	}
}catch(Exception $e){
	echo $e->getMessage() ."\n";
}
?>

Link to comment
https://forums.phpfreaks.com/topic/252367-strip_tags-not-working-properly/
Share on other sites
premiso Regular Member

premiso

Posted
Posted

It needs to be done server side. You will either need to disable it in the php.ini file, or run stripslashes on $_POST in the code. Since magic_quotes is a runtime variable, I don't think you can change it with ini_set, so stripslashes or php.ini are your only real options.

premiso Regular Member

premiso

Posted
Posted

Thank you very much!! 1 small code addition and everything works great! very good to know for future projects.

 

Just be cautious with the stripslashes as if magic_quotes gets disabled, it will cause slashes to be removed that should not be. You should implement a get_magic_quotes_gpc check first, if that is true, run the stripslashes, if it is false don't run it. Can even be added to a function to make it easier:

 

function myStripSlashes($data) {
    if (get_magic_quotes_gpc()) return stripslashes($data);
    return $data;
}

 

Would be suitable and not break the code incase of a change in the php.ini file later down the line.

elite311 Member

elite311

Posted
  • Author
Posted

Hmmm very interesting, so basically by running it the way I am right now the code could work on the first run of the mail handler but not work on subsequent form submissions? if I'm reading what your saying correctly.

 

I'm not familiar with this magic quotes stuff at all as I'm still pretty new to the world of PHP, perhaps some reading is in order.

 

Could you show me the correct way to implement a check on magic quotes into my code?

premiso Regular Member

premiso

Posted
Posted

The modified code:

 

if($_POST["stripHTML"] == 'true'){
	$messageBody = strip_tags($messageBody);
	$messageBody = myStripSlashes($messageBody);
}

function myStripSlashes($data) {
    if (get_magic_quotes_gpc()) return stripslashes($data);
    return $data;
}

 

As far as subsequent form submissions, no that is not what I am saying at all. What I am saying is that if someone upgrades your server to PHP 5.2 > magic_quotes is turned off by default. And as such your stripslashes, still stripslashes (unless you add the check in like my function does) on the data. So say you had something like: 

 

The message is bob / sally are the culprits

 

With magic quotes on that turns into:

 

The message is bob // sally are the culprits

as it escapes any characters that could break the database / cause injection (but it is better to use the database's escaping function which is why magic_quotes is depreciated).

 

Now say in a year, the server gets upgraded and magic_quotes is no longer an available option (since it is depreciated) your code now takes the original message (with the single slash) and removes the slashes which becomes:

 

The message is bob sally are the culprits

 

Which is not a desired effect. So adding in the check to see if magic_quotes are on, and only striping slashes from the data if it is on, will avoid this potential issue later down the line. This has nothing to do with the send mail or subsequent requests. It is strictly a PHP issue. Read up on magic_quotes and stripslashes to get a better understanding what each does. That is why there is a manual, so you can read and understand, not just randomly guess what is going on.

elite311 Member

elite311

Posted
  • Author
Posted

Thank you very much for the run down on this, as you suggested I have been reading the manual online as we have been going through this thread to get a better idea of what is going on.

 

This has been a huge help and very informative I really appreciate your time.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.