strip_tags not working properly

[elite311]

Hi, I'm having problems with a PHP mail handler and everything seems to be working fine except I get slashes in the message body from the form. If my input is "Please don't delete this" I get "Please don/'t delete this" in the message body, however it is striping the other tags. I'm not sure what is wrong and was hoping for a bit of help to figure this out.

 

Here is the code:

<?php
$owner_email = $_POST["owner_email"];
$headers = 'From:' . $_POST["email"];
$subject = 'Website contact inquiry from ' . $_POST["name"];
$messageBody = "";

$messageBody .= '<p>------------------ Contact Details ------------------' . '</p>' . "\n";		
$messageBody .= '<p>Name: ' . $_POST["name"] . '</p>' . "\n";
$messageBody .= '<p>Email Address: ' . $_POST['email'] . '</p>' . "\n";
$messageBody .= '<p>Phone Number: ' . $_POST['phone'] . '</p>' . "\n";
$messageBody .= '<p>----------------------------------------------------------' . '</p>' . "\n";	
$messageBody .= '<br>' . "\n";
$messageBody .= '<p>' . $_POST['message'] . '</p>' . "\n";

if($_POST["stripHTML"] == 'true'){
	$messageBody = strip_tags($messageBody);
}

try{
	if(!mail($owner_email, $subject, $messageBody, $headers)){
		throw new Exception('mail failed');
	}else{
		echo 'mail sent';
	}
}catch(Exception $e){
	echo $e->getMessage() ."\n";
}
?>

[premiso]

Sounds like your server has magic_quotes enabled. This runs addslashes to any item coming from POST/GET, it is depreciated and suggested you turn it off in the php.ini or by using ini_set and that should solve that problem.

[elite311]

Thanks for the quick reply, I'm not familiar with this at all can I write this directly into the mail handler to disable it on the send mail? or is it something that I need to do on the server?

[premiso]

It needs to be done server side. You will either need to disable it in the php.ini file, or run stripslashes on $_POST in the code. Since magic_quotes is a runtime variable, I don't think you can change it with ini_set, so stripslashes or php.ini are your only real options.

[elite311]

Thank you very much!! 1 small code addition and everything works great! very good to know for future projects.

 

	if($_POST["stripHTML"] == 'true'){
	$messageBody = strip_tags($messageBody);
	$messageBody = stripslashes($messageBody);
}

[premiso]

Thank you very much!! 1 small code addition and everything works great! very good to know for future projects.

 

Just be cautious with the stripslashes as if magic_quotes gets disabled, it will cause slashes to be removed that should not be. You should implement a get_magic_quotes_gpc check first, if that is true, run the stripslashes, if it is false don't run it. Can even be added to a function to make it easier:

 

function myStripSlashes($data) {
    if (get_magic_quotes_gpc()) return stripslashes($data);
    return $data;
}

 

Would be suitable and not break the code incase of a change in the php.ini file later down the line.

[elite311]

Hmmm very interesting, so basically by running it the way I am right now the code could work on the first run of the mail handler but not work on subsequent form submissions? if I'm reading what your saying correctly.

 

I'm not familiar with this magic quotes stuff at all as I'm still pretty new to the world of PHP, perhaps some reading is in order.

 

Could you show me the correct way to implement a check on magic quotes into my code?

[premiso]

The modified code:

 

if($_POST["stripHTML"] == 'true'){
	$messageBody = strip_tags($messageBody);
	$messageBody = myStripSlashes($messageBody);
}

function myStripSlashes($data) {
    if (get_magic_quotes_gpc()) return stripslashes($data);
    return $data;
}

 

As far as subsequent form submissions, no that is not what I am saying at all. What I am saying is that if someone upgrades your server to PHP 5.2 > magic_quotes is turned off by default. And as such your stripslashes, still stripslashes (unless you add the check in like my function does) on the data. So say you had something like: 

 

The message is bob / sally are the culprits

 

With magic quotes on that turns into:

 

The message is bob // sally are the culprits

as it escapes any characters that could break the database / cause injection (but it is better to use the database's escaping function which is why magic_quotes is depreciated).

 

Now say in a year, the server gets upgraded and magic_quotes is no longer an available option (since it is depreciated) your code now takes the original message (with the single slash) and removes the slashes which becomes:

 

The message is bob sally are the culprits

 

Which is not a desired effect. So adding in the check to see if magic_quotes are on, and only striping slashes from the data if it is on, will avoid this potential issue later down the line. This has nothing to do with the send mail or subsequent requests. It is strictly a PHP issue. Read up on magic_quotes and stripslashes to get a better understanding what each does. That is why there is a manual, so you can read and understand, not just randomly guess what is going on.

[elite311]

Thank you very much for the run down on this, as you suggested I have been reading the manual online as we have been going through this thread to get a better idea of what is going on.

 

This has been a huge help and very informative I really appreciate your time.