Home/ Questions/Q 6133773
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T17:16:16+00:00

Right now I’m trying to make an email notification whenever somebody submits a comment

  • 0

Right now I’m trying to make an email notification whenever somebody submits a comment going into a database. I’m using mysql_real_escape_string() to protect against injections and I’m trying to strip the slashses off the name, email, and comment when they are sent in the email notification. The database entry code is commented out, as I don’t want there to be an entry made every time I test the email system.

The email is sent just fine, however stripslashes() is not working properly. For example, if the message is “Can’t wait!” the email will have “Comment: Can\’t wait!”. This is strange to me because when I have the comments displayed on the page, stripslashses works fine.

Is this because I’m not applying stripslashes() to data not coming directly out of the database?

$li = mysql_connect($dbHost, $dbUser, $dbPass) or die("Could not connect");
    mysql_select_db($dbDatabase, $li) or die ("could not select DB"); 

    $name = mysql_real_escape_string($HTTP_POST_VARS["name"]);
    $email = mysql_real_escape_string($HTTP_POST_VARS["email"]);
    $comment = mysql_real_escape_string($HTTP_POST_VARS["comment"]);
    $date = Date("Y-m-d h:i:s");
    /*
    $gb_query =     "insert into entries
            values(0, '$name', '$email', '$comment', '$date')";

    mysql_query($gb_query);
    $res = mysql_affected_rows();

    // See if insert was successful or not
    if($res > 0) {

    $ret_str="Your guestbook entry was successfully added!";*/
        $name2=stripslashes($name);
        $email2=stripslashes($email);
        $comment2=stipslashes($comment);
        $subject = 'New Guestbook Entry Has been Added!';
        $message = "Name:  $name2\nEmail:  $email2\nComment:  $comment2";
        $to = "chetg329@yahoo.com";
        mail($to, $subject, $message);
        //header('Location: guestbook.php?ps=1');
    //exit(); // End the request
    /*  
    } else {
        $ret_str = "There was a problem with your guestbook entry. Please try again.";
    }

    // Append success/failure message
    $gb_str .= "<span class=\"ret\">$ret_str</span><BR>";*/
    mysql_close();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    My guess is that the problem lies within magic_quotes. I would take a look at your php.ini and see if you can turn it off (pending you are not relying on it to prevent SQL Injection). If you cannot access the php.ini to turn it off PHP provides a method for you to test it and act accordingly (IE stripslashes on the data before escaping it with mysql_real_escape_string ) It is called get_magic_quotes_gpc

    Alternatively, why are you using mysql_real_escape_string on data that is not being inserted into the database? If you do insert it later on, then move those calls till after the mail call.

    • 0