Retrieving special characters

Message-ID: <ty******************@tornado.socal.rr.com> from Larry
contained the following:

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but
when I try to retrieve it with a standard query, it echo's or prints as Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get past
that?

What code are you using to echo or print it?
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

"Larry" <no***@none.com> wrote in message
news:ty******************@tornado.socal.rr.com...

OK, I've been searching around the net for numerous hours and seem to just
be
getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is
considered
a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that,
but
when I try to retrieve it with a standard query, it echo's or prints as
Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get
past
that?

In HTML <bo*@nospam.com> will be concidered as a tag, nonsense tag since
it's not really a tag but the <> make html think it is, therefor it's
hidden. To fix it, special chars need to be converted to format where html
does not concider them as control characters such as tag delimiters. There
is a function that does this conversion called htmlspecialchars.

Try something like:
echo htmlspecialchars("'Bob Smith' <bo*@nospam.com>");

http://php.net/htmlspecialchars

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)

In article <Yh**************@reader1.news.jippii.net>, "Kimmo Laine" <sp**@outolempi.net> wrote:

"Larry" <no***@none.com> wrote in message
news:ty******************@tornado.socal.rr.com. ..

OK, I've been searching around the net for numerous hours and seem to just
be
getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is
considered
a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that,
but
when I try to retrieve it with a standard query, it echo's or prints as
Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get
past
that?

In HTML <bo*@nospam.com> will be concidered as a tag, nonsense tag since
it's not really a tag but the <> make html think it is, therefor it's
hidden. To fix it, special chars need to be converted to format where html
does not concider them as control characters such as tag delimiters. There
is a function that does this conversion called htmlspecialchars.

Try something like:
echo htmlspecialchars("'Bob Smith' <bo*@nospam.com>");

http://php.net/htmlspecialchars

Actually I am placing the value into a hidden form field that's then emailed
via a formmail program.

echo("<input type='hidden' name='my_email' value='$email'>");

I see your point about HTML seeing it as a nonsense tag however, and
understand how the single quote will also mess it up as there are others in
the <input> field and it will see it as an end to something.

I guess I'm back to stripping all the special characters out before they get
put into the database. Hmmmm...

Thanks much for the help,
Larry L

Larry wrote:

OK, I've been searching around the net for numerous hours and seem to just be
getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is considered
a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but
when I try to retrieve it with a standard query, it echo's or prints as Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get past
that?

Many thanks,
Larry L

Larry,

Single quotes are also used as a delimiter in SQL. But are you sure that's your
problem? If you had mismatched quotes, I would expect you to get an error when
you try to insert it into the database.

Chances are the problem is in the display of the data. First of all, do you see
it if you look at the page source in your browser? If the data is there, it's
only a matter of handling the special characters - check out htmlentities().

If the data is not there, you need to look at your code to see what happened.

And BTW - your method is *very* insecure. It will easily turn your site into a
spammers paradise. All one has to do is submit a form with another email
address in the hidden field. Rather, save the primary key in the hidden field
and retrieve the email address from the database when you send the email.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

"Larry" <no***@none.com> wrote in message
news:V0*****************@tornado.socal.rr.com...

In article <Yh**************@reader1.news.jippii.net>, "Kimmo Laine"
<sp**@outolempi.net> wrote:

"Larry" <no***@none.com> wrote in message
news:ty******************@tornado.socal.rr.com.. .

OK, I've been searching around the net for numerous hours and seem to
just
be
getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is
considered
a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly
that,
but
when I try to retrieve it with a standard query, it echo's or prints as
Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get
past
that?

In HTML <bo*@nospam.com> will be concidered as a tag, nonsense tag since
it's not really a tag but the <> make html think it is, therefor it's
hidden. To fix it, special chars need to be converted to format where html
does not concider them as control characters such as tag delimiters. There
is a function that does this conversion called htmlspecialchars.

Try something like:
echo htmlspecialchars("'Bob Smith' <bo*@nospam.com>");

http://php.net/htmlspecialchars

Actually I am placing the value into a hidden form field that's then
emailed
via a formmail program.

echo("<input type='hidden' name='my_email' value='$email'>");

Please please please concider an alternative solution! Form mail scripts
like that are very potential spam relays, especially the Formmail from Matts
Script Archive is the most classic exploited script. Do yourself and
everyone else a favor and study a bit how such solutions get exploited.
Basicly spammers replace the value with another email address and send their
own shit using your script.

http://www.google.com/search?hl=en&q...=Google+Search
http://rickconner.net/spamweb/spam_formmail.html

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)

Message-ID: <V0*****************@tornado.socal.rr.com> from Larry
contained the following:

I guess I'm back to stripping all the special characters out before they get
put into the database. Hmmmm...

No, you don't need to do that.
Just use htmlentities($sting, ENT_QUOTES)

But I'll echo the other concerns about security...

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

In article <6p********************@comcast.com>, Jerry Stuckle <js*******@attglobal.net> wrote:

Larry wrote:

OK, I've been searching around the net for numerous hours and seem to just be

getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is

considered

a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but

when I try to retrieve it with a standard query, it echo's or prints as Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get past
that?

Many thanks,
Larry L

Larry,

Single quotes are also used as a delimiter in SQL. But are you sure that's
your
problem? If you had mismatched quotes, I would expect you to get an error when

you try to insert it into the database.

Chances are the problem is in the display of the data. First of all, do you
see
it if you look at the page source in your browser? If the data is there, it's
only a matter of handling the special characters - check out htmlentities().

If the data is not there, you need to look at your code to see what happened.

And BTW - your method is *very* insecure. It will easily turn your site into a

spammers paradise. All one has to do is submit a form with another email
address in the hidden field. Rather, save the primary key in the hidden field
and retrieve the email address from the database when you send the email.

Thanks for the good advice, it didn't dawn on me until yesterday that I
could look at the source of the displayed page to see if the data was actually
there.

I think the mismatched quotes problem was handled by magicquotes being turned
on, as the single quote makes it into the MySQL database ok.

I do understand a little about how bad formmail scrips can be. It's not as bad
as it seems, however. Mine will not send an email to a supplied address, it
uses a code that the form supplies in a hidden field to determine which of 4
emails it will send to. That seems to me to be fairly safe, no?

Larry L

In article <%S**************@reader1.news.jippii.net>, "Kimmo Laine" <sp**@outolempi.net> wrote:

"Larry" <no***@none.com> wrote in message
news:V0*****************@tornado.socal.rr.com.. .

In article <Yh**************@reader1.news.jippii.net>, "Kimmo Laine"
<sp**@outolempi.net> wrote:

"Larry" <no***@none.com> wrote in message

snip
Actually I am placing the value into a hidden form field that's then
emailed
via a formmail program.

echo("<input type='hidden' name='my_email' value='$email'>");

Please please please concider an alternative solution! Form mail scripts
like that are very potential spam relays, especially the Formmail from Matts
Script Archive is the most classic exploited script. Do yourself and
everyone else a favor and study a bit how such solutions get exploited.
Basicly spammers replace the value with another email address and send their
own shit using your script.

http://www.google.com/search?hl=en&q...btnG=Google+Se
arch
http://rickconner.net/spamweb/spam_formmail.html

Well it's not quite that bad, and yes I've heard all about Matts scripts! What
isn't obvious from the line of code above is that $email is NOT an email
address, it's a code, 1 of 4 in my case, that my Formmail script uses to
decide which of 4 emails to send the form to. Sending anything else other than
the 4 recognized codes just results in the FormMail terminating. Though I'm no
expert on the subject, my belief is that's a reasonable solution.

Larry L

Larry wrote:

In article <6p********************@comcast.com>, Jerry Stuckle <js*******@attglobal.net> wrote:

Larry wrote:

OK, I've been searching around the net for numerous hours and seem to just be

getting more confused about handling special characters.

In my host's configuration MagicQuotes is ON. (I understand this is

considered

a bad thing by many)

A user submitted an email in the form 'Bob Smith' <bo*@nospam.com>
Now when I look in the MySql database (via PhpMyAdmin) it's exactly that, but

when I try to retrieve it with a standard query, it echo's or prints as Bob
Smith. I have the same problem with a store name containing a single
apostrophe. Obviously the single quote is stopping it, but how do I get past
that?

Many thanks,
Larry L

Larry,

Single quotes are also used as a delimiter in SQL. But are you sure that's
your
problem? If you had mismatched quotes, I would expect you to get an error when

you try to insert it into the database.

Chances are the problem is in the display of the data. First of all, do you
see
it if you look at the page source in your browser? If the data is there, it's
only a matter of handling the special characters - check out htmlentities().

If the data is not there, you need to look at your code to see what happened.

And BTW - your method is *very* insecure. It will easily turn your site into a

spammers paradise. All one has to do is submit a form with another email
address in the hidden field. Rather, save the primary key in the hidden field
and retrieve the email address from the database when you send the email.

Thanks for the good advice, it didn't dawn on me until yesterday that I
could look at the source of the displayed page to see if the data was actually
there.

I think the mismatched quotes problem was handled by magicquotes being turned
on, as the single quote makes it into the MySQL database ok.

I do understand a little about how bad formmail scrips can be. It's not as bad
as it seems, however. Mine will not send an email to a supplied address, it
uses a code that the form supplies in a hidden field to determine which of 4
emails it will send to. That seems to me to be fairly safe, no?

Larry L

Larry,

Yes, that should be quite safe.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================