View Full Version : Getting \' in emails sent via php

07-04-2007, 10:14 AM
I don't know if this is a problem with my webmail client, or with my contact form. In my contact form I don't use magic quotes or addslashes, however, it's most likely set to use it in my server's php configuration file. When I receive an email, I open it using squirrelmail, and before every ' or ", there's a \.
My contact form basically picks up 3 or 4 POST variables, puts them together in another variable, for example $message, by means of = and .= (period-equals), then uses mail($message, etc) (I know I'm just asking for email header injection).

07-04-2007, 11:56 AM
Without seeing your code...and how you have constructed the headers etc, it is difficult to give any pointers or suggestions.

How about using PHPMailer class available from http://phpmailer.sourceforge.net/


07-04-2007, 02:16 PM
Here's the bulk of it.


if (isset($_POST['send']))
if (empty($_POST['name']) || $_POST['name'] == "Required")
if (empty($_POST['email']) || $_POST['email'] == "Required")
if (empty($_POST['message']) || $_POST['message'] == "You haven\'t written a message for me!")
if ($_POST['message'] && $_POST['message'] != "You haven\'t written a message for me!" && $_POST['email'] && $_POST['email'] != "Required" && $_POST['name'] && $_POST['name'] != "Required")
$subject = "croatiankid.com - ";
$subject .= $_POST['subject'];
$message = "Name: ";
$message .= $_POST['name'];
$message .= "\n";
$message .= "Email: ";
$message .= $_POST['email'];
$message .= "\n";
$message .= "Phone: ";
$message .= $_POST['phone'];
$message .= "\n";
$message .= "Message: ";
$message .= $_POST['message'];
mail('email@example.com', $subject, $message);
<div id="content">
<div id="main" class="single">
<h2>Contact me</h2>
<p>You can contact me using this form. Please provide as much information as possible; name, e-mail and message is required.</p><?php if ($success == 1){echo "<div style=\"background:#bd8d46;text-align:center\">Message sent!</div>"; } ?>
<form action="http://croatiankid.com/contact" method="post">
<div class="form_left"><label for="sub">Subject: </label></div><div class="form_right"><select id="sub" name="subject">
<option <?php if (empty($_GET['subject'])) {echo "selected=\"selected\" ";} ?>value="General">General</option>
<option <?php if ($_GET['subject'] == "web") {echo "selected=\"selected\" ";} ?>value="Web Design">Web Design</option>
<option <?php if ($_GET['subject'] == "graphic") {echo "selected=\"selected\" ";} ?>value="Graphic Design">Graphic Design</option>
<option <?php if ($_GET['subject'] == "wordpress") {echo "selected=\"selected\" ";} ?>value="Wordpress Theme">Wordpress Theme</option>
<option <?php if ($_GET['subject'] == "psd2xhtml") {echo "selected=\"selected\" ";} ?>value="PSD 2 (x)HTML">PSD 2 (x)HTML</option>
<option <?php if ($_GET['subject'] == "translation") {echo "selected=\"selected\" ";} ?>value="Translation">Translation</option>
<div class="form_left"><label for="name">Name: </label></div><div class="form_right"><input type="text" id="name" name="name"<?php
if ($name_error==1)
{echo "value=\"Required\"";}
<div class="form_left"><label for="email">E-mail: </label></div><div class="form_right"><input type="text" id="email" name="email"<?php
if ($email_error==1)
{echo "value=\"Required\"";}
<div class="form_left"><label for="phone">Phone: </label></div><div class="form_right"><input type="text" id="phone" name="phone"></div>
<div><div id="form_mes"><label for="mes">Message: </label></div><div id="form_mes2"><textarea id="mes" cols="30" rows="5" name="message"><?php
if ($message_error==1)
{echo "You haven't written a message for me!";}
<div><input type="submit" name="send" value="Send"></div>

07-04-2007, 02:38 PM
$message = stripslashes($message);

07-04-2007, 02:45 PM
Edit: Basically says the same as above ^^

Before you display data on a web page or in an email, that comes from a form, a file, or a database, you need to unescape any escaped data using the stripslashes() function - http://php.net/stripslashes