mysql real escape string

Forum Moderators: coopster

Message Too Old, No Replies

mysql real escape string

And email forms

ridingforlife

4:48 am on Dec 27, 2010 (gmt 0)

Hi everyone,

I'm working on an email form, and I'm having a problem with mysql_real_escape_string.

My basic question is, do I need to use mysql_real_escape_string when I'm taking the input text and sending it to my email inbox?

I'm putting the input text through stripslashes and htmlentities. I also have other validation - regular expressions for checking the email addresses, etc.

I am asking because I am getting an error that it can't connect - which I know, because there is no database. However, I have used this code before, with the mysql_real_escape_string, on another website's email form, and had no errors at all - again, there's no database connection information included in that PHP code. Does anyone know why this would happen?

If it's not essential to use mysql_real_escape_string, then I'll just take it out. But I am curious as to why one instance would give me these errors, while the relatively same code for another website would not?

Thanks!

Anyango

8:24 am on Dec 27, 2010 (gmt 0)

Yep it's not essential in this case, cause you are not saving anything to database.
Until you are connected to a database, this wont even work. So i think there is zero need to worry about that here

Matthew1980

2:06 pm on Dec 27, 2010 (gmt 0)

>>I am asking because I am getting an error that it can't connect - which I know, because there is no database. However, I have used this code before, with the mysql_real_escape_string, on another website's email form, and had no errors at all

Have a read of this... [uk3.php.net]

Yes, this function assumes a database connection from the last known/in use connection, the function itself takes two parameters, one of which is optional as described in that link.

And as anyango has already pointed out, as there is no DB involved, there is no need to use this function in this context.

For sanitising the data, just preg_match() for validating the email address, and there is always the alternative of this little function that does the preg_match pattern for you:-

!filter_var($input_address, FILTER_VALIDATE_EMAIL);

Great little time saver there...

and use strip_tags() to remove any unwanted html tags from any data that your sending in the body of the email. trim() is also good to use, and if your wanting to be extra cautious you can set up a swear word filter just in case there is any attempt at people putting unwanted content into emails.

Just a few suggestions there, but it's always worth doing things like this, and as it's easy to reuse this coding, just pop them into a function for continued reuse on any project.

Have fun with your project.

Cheers & seasons greetings,
MRb

rainborick

4:52 pm on Dec 27, 2010 (gmt 0)

I would suggest that you scan all user data when you will be sending it in an Email to prevent SPAM hijacking of your script. Don't rely on trim() alone. Remove all linefeeds and carriage returns from all of the user data that will be included in the EMail header. Then you can go on to validating the user inputs for proper formatting and length limits. Good luck!

Readie

2:38 am on Dec 28, 2010 (gmt 0)

addslashes() should be a suitable alternative to mysql_real_escape_string() in this instance - if you don't want to connect to a database *just* to use this function.

ridingforlife

3:15 am on Dec 28, 2010 (gmt 0)

Thanks everyone!

I'm interested by the "!filter_var($input_address, FILTER_VALIDATE_EMAIL);". I will have to check that out.

Matthew1980

10:24 am on Dec 28, 2010 (gmt 0)

Much kudos to readie for that, he found that one a while a go and now I use it as the preg alternative!

Cheers,
MRb

Matthew1980

10:25 am on Dec 28, 2010 (gmt 0)

Much kudos to readie for that, he found that one a while a go and now I use it as the preg alternative!

Cheers,
MRb