How to properly handle apostrophes & \r\n in mail function?

[irfandayan]

I have mail function which gets mail message from a textarea. But whenever there is apostrophes and new line it show it like below.

 

Example Output: Comments: You\\'re mailing address was wrong. Couldn\\'t you provide an other? Survey Answers: item : You\\'re making it well. Isn\\'t it?\nitem2 : It\\'d better to have a cup of tea?\n

 

1) There are three slashes added along with apostrophes. Is it likely something to do with magic escaping? is the stripslashes function the better option to remove it?

 

2) New line converted to \r\n. The issue is the \r\n might be a windows artifact. On a Linux server it might be \n only. Is it would be enough to use str_replace('\r\n', "\n", $message); ? Then str_replace("\n", "

", $message); ?

 

[lordshoa]

You could do both  str_replace or stripslashes

$message = str_replace("\\'", "'", $message);  
$message = str_replace('\r\n', "
", $message);
$message = str_replace('\r', "
", $message);

[DavidAM]

We may need to see some code.

 

If "magic quotes" is on, you will get a single back-slash before certain special characters. The preferred solution to this is to turn magic quotes off. If you can't turn it off, you need to call stripslashes.

function cleanupPost($paInput) {
  if ( (function_exists('get_magic_quotes_gpc')) and (get_magic_quotes_gpc()) ) 
    return stripslashes($paInput);
  else 
    return $paInput;
}

$msgBody = cleanupPost($_POST['message']);

You need to test for the existence of the function, because I hear magic quotes will go away completely in the next major release of PHP, and without that test, the code would break when the function no longer exists.

 

If you are seeing multiple back-slashes in the input, it may be because The form was POSTed and your script decided the data was incomplete, so you sent the form again, with the data from the POST. If magic quotes is on, each POST will add the back-slashes, and if you don't stripslashes before sending it back, they will just keep getting added. Or it could be from other processing in your script.

 

If you are using addslashes or mysql_real_escape_string, or any other escaping function to process the mail message, STOP. You do not need to escape the data for a PLAIN-TEXT mail message, and you would use htmlspecialchars for an HTML mail message.

 

If you show the code where you are processing your textarea, we may be able to provide more insight. Right now, we are all just guessing.

 

 

@lordshoa: Just FYI -- I am not recommending str_replace as a solution here, there may be other things escaped besides the single-quote. However, if it is needed for the \r\n issue, you can do that in a single call using an array: $message = str_replace(array('\r\n', '\r', '\n'), "\n", message);

 

Note the order (inside the array) and the quoting (single vs double) is important in that particular piece of code.

[sqlnoob]

I had the same problem with the filter. Whenever users wanted to post a message with an apostrophe in it, it would just go blank.

 

Here is how I solved it.

 

$filtermessage = $_POST["messagetext"];

$rawmessage = str_replace("'","\'",$filtermessage);

filter_var($rawmessage, FILTER_SANITIZE_STRING);

[irfandayan]

Hi  DavidAM,

 

Thanks for such a great help. I really appreciate your explanation.

 

1) I have one other question, my magic quotes always return FALSE on PHP Version 5.3.1 but my $_POST always get a single back-slash before certain special characters. why this happening? How can i detect that my $_POST getting slashes other than magic quotes? And when i escape my $_POST values individually it again gets second slashes. Can you please help this regards for best solution?

 

2) how can i strip all slashes at once. Suppose i have too many slashes in  string and i want to strip all at once. The function stripslashes remove only two slashes and some case i have to call stripslashes multiple times like $message = stripslashes(stripslashes($message));?

 

Thanks in advance for such a great support.

[DavidAM]

There are two magic quotes settings:

 

magic quotes gpc - Affects $_GET, $_POST, and $_COOKIE as well as $_FILES

magic quotes runtime - Affects File and Database reads

 

When you say "my magic quotes always return FALSE" which one are you looking at? and how did you look?

 

I don't know any other way that the backslashes would get in there unless you have a function somewhere that is escaping the data.

 

If this script is running in some third-party environment, i.e. Wordpress, etc, there may be something going on there.

 

First, check phpinfo to see what value you are running with

Then check any .htaccess files that may be involved for any php directives that might be including files or changing settings

Then, create a simple php script to test:

<?php
if (isset($_POST)) {
  printf('<PRE>%s</PRE>', htmlspecialchars(print_r($_POST, true)));
}
$txtLine = (isset($_POST['txtLine']) ? $_POST['txtLine'] : '');
$txtArea =(isset($_POST['txtArea']) ? $_POST['txtArea'] : ''); 
?>
<HTML>
<HEAD><TITLE>Test POST</TITLE></HEAD>
<BODY>
  <FORM action="" method="POST">
    <INPUT name="txtLine" value="<?php echo $txtLine;?>"><BR>
    <TEXTAREA name="txtArea"><?php echo htmlspecialchars($txtArea);?></TEXTAREA><BR>
    <INPUT type="submit" name="submit" value="Submit">
  </FORM>
</BODY>
</HTML>

 

Navigate to this new test page and type something in both text fields. Be sure to include a single-quote and a backslash in one or both of them. Also, hit enter once or twice in the textarea. Then submit the form. You should see the results in the browser. Are there backslashes shown there? Are there backslashes in the fields themselves after you POST?

 

If this simple script produces the correct output (i.e. no backslashes that you did not type yourself), then there is something in your problem script that is escaping the data. You will need to check the script for any processing of the $_POST array. You will need to check any functions that process that array. You will need to check every file that is included by your script to see if any of them are affecting $_POST. You also need to check any auto-prepend-file that is listed in the phpinfo() results.

 

My next step would be to add that printf statement from the code above, early in my script, perhaps followed by a die call. And keep moving the statement up or down in the script until I find out where the backslashes are being inserted. Most likely, if magic-quotes-gpc is indeed off, you will find a call to addslashes, addcslashes, mysql_real_escape_string, or one of the other database escaping functions somewhere in the script or an include file.

 

 

2) While I do not recommend this, to remove all of the back-slashes from a string, regardless of the number of them, you need to use a regular expression. I'm not very good with RegExp when back-slashes are involved, but I think it would be $msg = preg_replace('~\\+~', '', $msg);.

 

Warning: If you use this method instead of finding and fixing the cause of the problem, you will be discarding user supplied data. If the user typed a back-slash in the message, you will be deleting it with the above statement.

[irfandayan]

I was looking for magic quotes via get_magic_quotes_gpc() function.

 

Yes, your guess is right, i am running a plugin on WordPress.

 

I run your script and it doesn't add any back slashes and i looked into my php.ini file  and found magic_quotes_gpc = Off ; magic_quotes_runtime = Off; your script produces correct output.

 

Now it is clear that my magic quotes are off but i think there seems something involve with WordPress which escapes my $_POST within my plugin script.

 

I have the similar problem like:

http://stackoverflow.com/questions/8949768/with-magic-quotes-disabled-why-does-php-wordpress-continue-to-auto-escape-my

 

 

 

 

 

 

Thanks

 

 

 

 

[darkfreaks]

http://codex.wordpress.org/Function_Reference/esc_attr

 

 

i think this is your best option it will encode the quotes and return them as html entities

[DavidAM]

@darkfreaks - the OP is not trying to display the characters, he is trying to get rid of them.

 

@irfandayan - did you try the solution offered in that question you linked ?

$_POST      = array_map('stripslashes_deep', $_POST);

 

Since other processes are involved, changing the super global may not be the best answer. Check the WP API documentation. Is there a WP function for retrieving the GET, POST, etc data? If they are messing with it by adding slashes, then they should be providing a way to get it without the slashes.

 

You have not posted your code, so I can't offer a definitive solution. But you could just run stripslashes() on the data when you retrieve it

$message = stripslashes($_POST['message']);

// or better yet

$myPOST = stripslashes_deep($_POST);
// then ...
$message = $myPOST['message'];

 

If you are getting the doubled-up backslashes in the data the first time you retrieve it, then there may be another plug-in that is messing it up. You could disable your plug-in's one by one until the problem goes away. Then look for updates for the one that was causing the problem.

 

The fact is, any "solution" you come up with that will make your script work, could either cause problems for other scripts/plugins in WP or stop working when WP or other plugins are updated or you remove a plugin (which happens to be the one screwing up the data).

 

 

[irfandayan]

@DavidAM - The only solution to my problem seems to stripslashes and it almost works for me. I have managed it to work for me. Really appreciate your great concern on my issue. Thanks