Stripslashes() 在电子邮件中不起作用
现在,每当有人向数据库提交评论时,我都会尝试发出电子邮件通知。我正在使用 mysql_real_escape_string() 来防止注入,并且在电子邮件通知中发送名称、电子邮件和评论时,我尝试将它们中的斜杠去掉。数据库条目代码被注释掉,因为我不希望每次测试电子邮件系统时都创建一个条目。
电子邮件发送得很好,但是 stripslashes() 无法正常工作。例如,如果消息是“等不及了!”该电子邮件将包含“评论:等不及了!”。这对我来说很奇怪,因为当我在页面上显示评论时,stripslashses 工作正常。
这是因为我没有将 stripslashes() 应用于不是直接来自数据库的数据吗?
$li = mysql_connect($dbHost, $dbUser, $dbPass) or die("Could not connect");
mysql_select_db($dbDatabase, $li) or die ("could not select DB");
$name = mysql_real_escape_string($HTTP_POST_VARS["name"]);
$email = mysql_real_escape_string($HTTP_POST_VARS["email"]);
$comment = mysql_real_escape_string($HTTP_POST_VARS["comment"]);
$date = Date("Y-m-d h:i:s");
/*
$gb_query = "insert into entries
values(0, '$name', '$email', '$comment', '$date')";
mysql_query($gb_query);
$res = mysql_affected_rows();
// See if insert was successful or not
if($res > 0) {
$ret_str="Your guestbook entry was successfully added!";*/
$name2=stripslashes($name);
$email2=stripslashes($email);
$comment2=stipslashes($comment);
$subject = 'New Guestbook Entry Has been Added!';
$message = "Name: $name2\nEmail: $email2\nComment: $comment2";
$to = "[email protected]";
mail($to, $subject, $message);
//header('Location: guestbook.php?ps=1');
//exit(); // End the request
/*
} else {
$ret_str = "There was a problem with your guestbook entry. Please try again.";
}
// Append success/failure message
$gb_str .= "<span class=\"ret\">$ret_str</span><BR>";*/
mysql_close();
Right now I'm trying to make an email notification whenever somebody submits a comment going into a database. I'm using mysql_real_escape_string() to protect against injections and I'm trying to strip the slashses off the name, email, and comment when they are sent in the email notification. The database entry code is commented out, as I don't want there to be an entry made every time I test the email system.
The email is sent just fine, however stripslashes() is not working properly. For example, if the message is "Can't wait!" the email will have "Comment: Can\'t wait!". This is strange to me because when I have the comments displayed on the page, stripslashses works fine.
Is this because I'm not applying stripslashes() to data not coming directly out of the database?
$li = mysql_connect($dbHost, $dbUser, $dbPass) or die("Could not connect");
mysql_select_db($dbDatabase, $li) or die ("could not select DB");
$name = mysql_real_escape_string($HTTP_POST_VARS["name"]);
$email = mysql_real_escape_string($HTTP_POST_VARS["email"]);
$comment = mysql_real_escape_string($HTTP_POST_VARS["comment"]);
$date = Date("Y-m-d h:i:s");
/*
$gb_query = "insert into entries
values(0, '$name', '$email', '$comment', '$date')";
mysql_query($gb_query);
$res = mysql_affected_rows();
// See if insert was successful or not
if($res > 0) {
$ret_str="Your guestbook entry was successfully added!";*/
$name2=stripslashes($name);
$email2=stripslashes($email);
$comment2=stipslashes($comment);
$subject = 'New Guestbook Entry Has been Added!';
$message = "Name: $name2\nEmail: $email2\nComment: $comment2";
$to = "[email protected]";
mail($to, $subject, $message);
//header('Location: guestbook.php?ps=1');
//exit(); // End the request
/*
} else {
$ret_str = "There was a problem with your guestbook entry. Please try again.";
}
// Append success/failure message
$gb_str .= "<span class=\"ret\">$ret_str</span><BR>";*/
mysql_close();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我的猜测是问题出在
magic_quotes中。我会看一下你的 php.ini 并看看你是否可以将其关闭(等待你不依赖它来防止 SQL 注入)。如果您无法访问 php.ini 将其关闭,PHP 提供了一种方法供您测试它并采取相应的操作(IE 在使用mysql_real_escape_string)它被称为get_magic_quotes_gpc另外,你为什么对未插入数据库的数据使用 mysql_real_escape_string ?如果您稍后插入它,请将这些调用移至
mail调用之后。My guess is that the problem lies within
magic_quotes. I would take a look at your php.ini and see if you can turn it off (pending you are not relying on it to prevent SQL Injection). If you cannot access the php.ini to turn it off PHP provides a method for you to test it and act accordingly (IE stripslashes on the data before escaping it withmysql_real_escape_string) It is calledget_magic_quotes_gpcAlternatively, why are you using
mysql_real_escape_stringon data that is not being inserted into the database? If you do insert it later on, then move those calls till after themailcall.