homepage Welcome to WebmasterWorld Guest from 23.21.23.126
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
mysql real escape string
And email forms
ridingforlife




msg:4246330
 4:48 am on Dec 27, 2010 (gmt 0)

Hi everyone,

I'm working on an email form, and I'm having a problem with mysql_real_escape_string.

My basic question is, do I need to use mysql_real_escape_string when I'm taking the input text and sending it to my email inbox?

I'm putting the input text through stripslashes and htmlentities. I also have other validation - regular expressions for checking the email addresses, etc.

I am asking because I am getting an error that it can't connect - which I know, because there is no database. However, I have used this code before, with the mysql_real_escape_string, on another website's email form, and had no errors at all - again, there's no database connection information included in that PHP code. Does anyone know why this would happen?

If it's not essential to use mysql_real_escape_string, then I'll just take it out. But I am curious as to why one instance would give me these errors, while the relatively same code for another website would not?

Thanks!

 

Anyango




msg:4246340
 8:24 am on Dec 27, 2010 (gmt 0)

Yep it's not essential in this case, cause you are not saving anything to database.
Until you are connected to a database, this wont even work. So i think there is zero need to worry about that here

Matthew1980




msg:4246385
 2:06 pm on Dec 27, 2010 (gmt 0)

>>I am asking because I am getting an error that it can't connect - which I know, because there is no database. However, I have used this code before, with the mysql_real_escape_string, on another website's email form, and had no errors at all

Have a read of this... [uk3.php.net]

Yes, this function assumes a database connection from the last known/in use connection, the function itself takes two parameters, one of which is optional as described in that link.

And as anyango has already pointed out, as there is no DB involved, there is no need to use this function in this context.

For sanitising the data, just preg_match() for validating the email address, and there is always the alternative of this little function that does the preg_match pattern for you:-

!filter_var($input_address, FILTER_VALIDATE_EMAIL);

Great little time saver there...

and use strip_tags() to remove any unwanted html tags from any data that your sending in the body of the email. trim() is also good to use, and if your wanting to be extra cautious you can set up a swear word filter just in case there is any attempt at people putting unwanted content into emails.

Just a few suggestions there, but it's always worth doing things like this, and as it's easy to reuse this coding, just pop them into a function for continued reuse on any project.

Have fun with your project.

Cheers & seasons greetings,
MRb

rainborick




msg:4246414
 4:52 pm on Dec 27, 2010 (gmt 0)

I would suggest that you scan all user data when you will be sending it in an Email to prevent SPAM hijacking of your script. Don't rely on trim() alone. Remove all linefeeds and carriage returns from all of the user data that will be included in the EMail header. Then you can go on to validating the user inputs for proper formatting and length limits. Good luck!

Readie




msg:4246551
 2:38 am on Dec 28, 2010 (gmt 0)

addslashes() should be a suitable alternative to mysql_real_escape_string() in this instance - if you don't want to connect to a database *just* to use this function.

ridingforlife




msg:4246556
 3:15 am on Dec 28, 2010 (gmt 0)

Thanks everyone!

I'm interested by the "!filter_var($input_address, FILTER_VALIDATE_EMAIL);". I will have to check that out.

Matthew1980




msg:4246613
 10:24 am on Dec 28, 2010 (gmt 0)

Much kudos to readie for that, he found that one a while a go and now I use it as the preg alternative!

Cheers,
MRb

Matthew1980




msg:4246614
 10:25 am on Dec 28, 2010 (gmt 0)

Much kudos to readie for that, he found that one a while a go and now I use it as the preg alternative!

Cheers,
MRb

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved