On Fri, Feb 29, 2008 at 2:18 PM, VanBuskirk, Patricia
<pvanbuskirk@xxxxxxxxxxx> wrote:
> Someone from this list (sorry I cannot remember the name), a while back, gave me the following function to use to get rid of unwanted characters coming in on forms:
>
> function convert_smart_quotes($string)
> {
> $search = array(chr(145),
> chr(146),
> chr(147),
> chr(148),
> chr(151),
> "#",
> ";",
> "[",
> "]",
> "{", // Note the missing "}" closing curly bracket here
> "<",
> ">",
> "=",
> "URL=http://";);
Above, there are only 14 search terms, but below, there are 15
replace terms. Below the line I commented, add:
"}",
> $replace = array("'",
> "'",
> '"',
> '"',
> "-",
> "number",
> ",",
> "",
> "",
> "",
> "",
> "",
> "",
> "equals",
> "");
> return str_replace($search, $replace, $string); }
[snip!]
> 2. "New " VM Tree Greeting 1- Need NEW DN for this!!! (Please coordinate with Suzanne for recordings).
See the parentheses above? I'll bet dollars to donuts that's your
killswitch. See my updated arrays at the end of this email.
[snip!]
> Also, we are getting back for example "I\'m hoping..." Somehow the slashes are coming through in the field and in the emails. I am not even sure what is putting them in, as I don't see that in the replace function.
There's either an addslashes() function somewhere or a missing
stripslashes().
Prior to inserting the data into the database, you should sanitize
it using mysql_real_escape_string(). So, for example, if your SQL
query looks like this:
$body = convert_smart_quotes($string);
$sql = "INSERT INTO email(body) VALUES($body)";
It should be changed to:
$body = mysql_real_escape_string(stripslashes(convert_smart_quotes($string)));
$sql = "INSERT INTO email(body) VALUES($body)";
And if that's not fixing the error for emails being sent, then
find where the mail() function resides and replace the message body
variable with something similar to:
$message = stripslashes($message);
Finally, the new arrays (rewritten function) I promised.
function convert_smart_quotes($string) {
$search = array(chr(145),
chr(146),
chr(147),
chr(148),
chr(151),
"#",
";",
"[",
"]",
"{",
"}",
"(",
")",
"!",
"<",
">",
"=",
"URL=http://";);
$replace = array("'",
"'",
'"',
'"',
"-",
"number",
",",
"",
"",
"",
"",
"",
"",
".",
"",
"",
"",
"equals",
"");
return str_replace($search,$replace,$string);
}
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
