mail() improperly escapes single and double quotes.

mborish_2000

I've got an issue where mail() improperly escapes single and double quotes. For example: ' appears as \' (as when an apostrophe is in the email text, like " person's automobile" shows up as "person\'s automobile\". The email sent always contains the escaped character with the \ in front of it.

I'm not sure if this is a coding issue or a PHP bug. Here's my mail.php page:

<?php

$valid_ref1=".../form.html";
$valid_ref2=".../form.html";/
$replyemail="...@aol.com";

if($_SERVER['REQUEST_METHOD'] != "POST"){
echo("Unauthorized attempt to access page.");
exit;
}

//Validate e-mail!
function is_valid_email($email) {
return preg_match('#^{[a-z0-9.!#$%&\'*+-/=?^{_`{|}~]+@([0-9.]+|([^{\s]+.+[a-z]{2,6}))$#si',}}} $email);
}

if (!is_valid_email($email)) {
echo 'Sorry, invalid email';
exit;
}

//clean input in case of header injection attempts!
function clean_input_4email($value, $check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/to:/';
$patterns[2] = '/cc:/';
$patterns[3] = '/bcc:/';
if ($check_all_patterns)
{
$patterns[4] = '/\r/';
$patterns[5] = '/\n/';
$patterns[6] = '/%0a/';
$patterns[7] = '/%0d/';
}

return preg_replace($patterns, "", $value);
}

$name = clean_input_4email($POST["name"]);
$email = clean_input_4email($POST["email"]);
$phonenumber = clean_input_4email($POST["phonenumber"]);
$thesubject = clean_input_4email($POST["thesubject"]);
$theaddress = clean_input_4email($POST["theaddress"]);
$themessage = clean_input_4email($POST["themessage"], false);

$error_msg='Input Corrupt! -Message not sent.';

$success_sent_msg='<p align="center"><strong> </strong></p>
<p align="center">Your message has been successfully sent to us<br />
and we will reply as soon as possible.<br />
A copy of your query has been sent to you.<br />
Thank you for contacting us.</p>
<p align="center">-The Glenwood Realty Team-</p>';

$replymessage = "$name:

Thank you for your email.

We will endeavour to reply to you within the next 48 hours.

Please DO NOT reply to this email.

Below is a copy of the message you submitted:

From: $name
Phone Number: $phonenumber
Subject: $thesubject
Address: $theaddress

$themessage

Thank you,

......";

// email variable not set - load $valid_ref1 page
if (!isset($_POST['email']))
{
echo "<script language=\"JavaScript\"></script>";
exit;
}

$ref_page=$_SERVER["HTTP_REFERER"];
$valid_referrer=0;
if($ref_page==$valid_ref1) $valid_referrer=1;
elseif($ref_page==$valid_ref2) $valid_referrer=1;
if(!$valid_referrer)
{
echo "<script language=\"JavaScript\"></script>";
exit;
}

$themessage = "From: $name \nPhone Number: $phonenumber \nAddress: $theaddress \n\n$themessage";
$email = "$name <$email>";
$replyemail = "Glenwood Realty <$replyemail>";

mail("$replyemail",
"$thesubject",
"$themessage",
"From: $email\nReply-To: $email");
mail("$email",
"Receipt: $thesubject",
"$replymessage",
"From: $replyemail\nReply-To: $replyemail");
echo $success_sent_msg;

mborish_2000

I've tried several striplsashes ideas to no avail. I'm assuming it is some sort of problem with magicquotes but don't know exactly how to address it.

mborish_2000

Ok, I'm making progress here. How do I defeat magic_quotes_gpc?

Houdini

Example from PHP:Manual

<?php
if (get_magic_quotes_gpc()) {
   function stripslashes_deep($value)
   {
       $value = is_array($value) ?
                   array_map('stripslashes_deep', $value) :
                   stripslashes($value);

   return $value;
   }

   $_POST = array_map('stripslashes_deep', $_POST);
   $_GET = array_map('stripslashes_deep', $_GET);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
   $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
?>

mborish_2000

Thanks. I put that in right after the page access restrictions and it works perfectly now.

-Mike