Skip navigation
Currently Being Moderated

stripslashes function in PHP? Doesn't seem to work...

Jun 19, 2012 3:00 PM

I've been trying to get the stripslashes() function in a PHP script to work but I'm not having any luck.  It seems like a very straightforward function but I'm still ending up with slashes in my comment/text area data.  Can anyone help?  I have some PHP books but they barely touch on the functionality.  (I'm new to PHP).  Thanks!  (BTW...  I removed the various attempts at calling the stripslashes() function).  The field I'm trying to remove the slashes from is the 'comment' variable.

 

Here is my short php script:

 

<?php // Script 1.0 - contactlist.php

 

 

 

 

if (isset($_POST['submit']) && !empty($_POST['submit'])) // Test if submit button named submit was clicked and not empty

 

 

 

 

 

 

{

          if (!empty($_POST['first']) && !empty($_POST['last'])  && !empty($_POST['email']) && !empty($_POST['phone']) && !empty($_POST['comment'])) {

 

 

 

 

                    $body = "First Name: {$_POST['first']}\nLast Name: {$_POST['last']}\nEmail Address: {$_POST['email']}\nContact Phone Number: {$_POST['phone']}\nContact Preference: {$_POST['contactvia']}\n\nBest Time To Contact: {$_POST['timepref']}\n\nComments:\n {$_POST['comment']}";

 

 

                    $body = wordwrap($body, 70);

 

 

 

 

                    mail('someone@somewhere.net', 'NEW Customer Inquiry Submission',$body, "From: {$_POST['email']}");

 

 

                    header('Location: index.html');  //Redirect to new url if form submitted

 

 

     }

 

 

}

 

 

?>

 
Replies
  • Currently Being Moderated
    Jun 19, 2012 3:33 PM   in reply to Prodigy9

    Why are you needing to remove the slashes? Is magic quotes enabled? Are you using addslashes() somewhere?  What version of PHP are you running?

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 19, 2012 4:19 PM   in reply to Prodigy9

    You are getting way ahead of yourself Prodigy and maybe I am a bit too.  Bregent, in a previous post I was explaining that nothing in the form was being validated.  Originally the form was being processed by

    if ($_SERVER['REQUEST_METHOD'] == 'POST')) {

    He was using forms setup up redirects that were not working and a put of other things going on.  I started to explain the importance of sanitizing data so that nothing malicious comes of the script.  Because there is no database involved, mysqli_real_escape_string won't do the trick so I started to explain the stripslashes/addslashes and about converting to html entities ( http://php.net/manual/en/function.htmlspecialchars.php ).

     

    Prodigy, add/strip slashes is not what you need, it was just an example to make you look at what you are putting into a script.

     

    Since you don't send an HTML email, you don't need to worry about htmlspecialchars.  Take a read through this tutorial about sanitizing data.  This probably would have a better place to start you off looking back instead of jumping too far ahead.

     

    http://www.w3schools.com/php/php_secure_mail.asp

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 19, 2012 4:31 PM   in reply to Prodigy9

    The reason for slashes is to prevent malicious code from being inserted and slashes make things into comments, likewise with htmlspecial chars converting symbols and the like from & --> &amp; just as a basic example I can think of off the top of my head.  The point I want you to understand is that if you expect something, check for it and don't expect that it will only be as you expect because two people don't always think alike.  If your site is small enough, with low traffic, this might all be overkill for you, but it's good to understand if you ever run into problems and I always err on the side of caution.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 20, 2012 11:18 AM   in reply to SnakEyez02

    Thanks for the background explanation SnakeEyez,

     

    If he's ending up with slashes in his text posted from a form, and he's not adding them with addslashes() or some other function, then it sounds like magic_quotes is enabled, right?

     

    If so, it should be disabled, right?

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 20, 2012 12:57 PM   in reply to bregent

    Usually bregent.  But there are instances where I have seen characters not be translated properly.  In those cases running htmlspecialchars would do the trick.  However, if sending a plain text, non-html, email as in this example. using HTML characters can get messy and you never really have the opportunity to convert it back to text. So validating the input as in the w3schools example will remove any illegal characters from the strings and prevent injection against simple email scripts.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 20, 2012 1:37 PM   in reply to Prodigy9

    Both. You always want to validate all user input.

    Next, determine if magic quotes is indeed enabled: http://www.php.net/manual/en/function.get-magic-quotes-gpc.php

     

    You may be able to disable magic quotes yourself: http://www.php.net/manual/en/security.magicquotes.disabling.php

    First

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 20, 2012 5:37 PM   in reply to Prodigy9

    Make a document, call it info.php.  In the document put:

     

    <?php phpinfo(); ?>

     

    Then upload and view the file from your server.  Check to see if magic quotes are enabled, just do a ctrl+f to find it on that document quickly.  Then delete the file, it's not something you want to leave up with paths and other information.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 20, 2012 5:49 PM   in reply to Prodigy9

    >{$_POST[stripslashes('comment')]}";

     

    Because there are no slashes in the string literal 'comment' You need to put the stripslashes function around the variable:

     

    {stripslashes ($_POST['comment'])}";

     

    But first follow SnakeEyez instruction for checking magic quotes. That's probably where the slashes are coming from.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 21, 2012 9:21 AM   in reply to Prodigy9

    Personally I would check with your host on this one.  This a feature that was removed from the PHP installation (deprecated as of 5.3 and removed from 5.4) and should be turned off at the server level.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 21, 2012 2:15 PM   in reply to Prodigy9

    >I still can't seem to get the stripslashes function to work.

     

    Show us what you are trying.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 23, 2012 6:39 AM   in reply to Prodigy9

    That's it...  I talked to the host support team and they said they use either PHP5.2 or PHP5.3 on their servers and I couldn't upgrade to PHP5.4 (Which automatically disables magic quotes).  Now though when I do a phpinfo() I can see Magic Quotes is definitely turned off.

     

    That's troubling to hear.  Not the PHP 5.4 part, but the fact that the host wants you to disable this on the user level instead of the server level is very disturbing and I would recommend looking for another host because they obviously don't know what it's being disabled.  There has always been talk that PHP 6 would be the one to do away with it, but they deprecated in PHP 5.3 and disabled in PHP 5.4 for a reason.  On a server level, not all data needs to be escaped.  Thus the reason it was taken away in favor of SQL functions was to avoid high server resource usage by escaping all data.  Here's a link to the PHP official explanation:

     

    http://www.php.net/manual/en/security.magicquotes.what.php

     

    Personally the hosts I've been with have had this disabled since early on in the PHP 5 release cycles.  The fact that they are up to PHP 5.3 and still have them enabled is troubling.

     

    The stripslashes should have worked in your case, if not as bregent previously mentioned we would need to see the code to evaluate what's going on.

     
    |
    Mark as:
  • Currently Being Moderated
    Jun 24, 2012 7:08 PM   in reply to Prodigy9

    >$comment=stripslashes($_POST[comment]);

     

    I believe that you need to quote the field name: $comment=stripslashes($_POST['comment']);

     

    However, your main problem is that you're not  assigning the $comment variable to your $body variable. You instead are assigning the (un-stripped) posted value

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points