stripslashes() - what is the problem?

pixelsoul

I am trying to set up a mail form that can not be spammed through and I have this script that attempts to do this in two ways.

1) it checks the url of the page and the url of the refering page and makes sure they are the same or it does not process email form
2) it is supposed to strip the slashes from the data inputed in the email forms

number 1 works great, but stripping the slashes from the inputed text is not working for some reason. Here is the script for the email form so you can take a look.

<?php

$your_email = "";
$subject = "Message via your contact form";
$empty_fields_message = "<p>Please go back and complete all the fields that are required in the form.</p>";
$thankyou_message = "<p>Thankyou. Your message has been sent.</p>";

$name = stripslashes($_POST['txtName']);
$email = stripslashes($_POST['txtEmail']);
$message = stripslashes($_POST['txtMessage']);

if (!isset($_POST['txtName'])) {

?>

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<p><label for="txtName">Name:</label><br />
<input type="text" title="Enter your name" name="txtName" /></p>

<p><label for="txtEmail">Email:</label><br />
<input type="text" title="Enter your email address" name="txtEmail" /></p>

<p><label for="txtMessage">Your message:</label><br />
<textarea title="Enter your message" name="txtMessage"></textarea></p>

<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

</form>

<?php

}

elseif (empty($name) || empty($email) || empty($message)) {

echo $empty_fields_message;

}

else {

// Check the refering URL
$referer = $_SERVER['HTTP_REFERER'];

// Get the URL of this page
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];

// If the referring URL and the URL of this page don't match then
// display a message and don't send the email.
if ($referer != $this_url) {
    echo "You do not have permission to use this script from another URL.";
    exit;
}

// The URLs matched so send the email
mail($your_email, $subject, $message, "From: $name <$email>");

// Display the thankyou message
echo $thankyou_message;

}

?>

Not sure what is wrong I guess it is a little over my head.

Thanks for the help.

bastien

what is it (not) doing that is should...can you give example of the data entered and the post processing result

pixelsoul

Well.....

It is supposed to take the data that is stored in the string:

$name = stripslashes($_POST['txtName']); 
$email = stripslashes($_POST['txtEmail']); 
$message = stripslashes($_POST['txtMessage']);

and strip the slashes from the data entered into it.

So in other words it should strip out any \ or / entered into the form fields....this way they would not be able to alter the email headers.

I guess I should give a little reason why I am doing this. Apparently according to my host someone was using my insecure mail form to spam, and my inferior website was about to be blacklisted by AOL and some other ISP's. So they pulled down my contact page and told me to replace my mail form with one that is secure. So this is why I am doing this.

May be I am using the stripslashes() wrong. I am really not sure and it is the first time I have used it. I really use php on a very n00b lvl and I am not very good "yet" 🙂

May be instead of doing this I should just find someone elses script for a secure mail form. I just thought I would give it a spin heh.

bpat1434

Stripslashes has nothing to do with forward slashes:

Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes (\) are made into a single backslash ().

You're using it right, because it's the way most people use it. And if anyone who knows PHP figures out you're just checking the referrer, and using stripslashes(), they'll get around it. I.e. using a script to set the referrer header, and using addslashes so taht when stripslashes is run, it becomes code....

Anyway, what is it that you put in to the form, and how does it come out? Give some examples. The code you posted should work. We need to see results and inputs now.

~Brett

EDIT:
Another option is, this:
It seems that magic_quotes_gpc is set to on. While that may be true, you can do this as well:

<?php
// Is magic_quotes_gpc set to on or off?
$mqgpc = (get_magic_quotes_gpc()==1)?'On':'Off';

$name = ($mqgpc == 'On')? // If variable value is "On"
               stripslashes($_POST['name']): // use stripslashes()
               $_POST['name']; // else it doesn't have slashes
$message = ($mqgpc == 'On')?
               stripslashes($_POST['message']):
               $_POST['message'];

?>

That's an alternative, although won't solve your problems....

~Brett