PHP Mailer Class and HTML Emails

Mechaworx

Hi All,

I have a form set up on my web site sending HTML emails. I am using the phpMailer class to send emails. When I receive the emails I am experiencing an annoying problem trying to get paragraph breaks. I keep getting "\n\n\" where paragraph separations should be. I've tried

.nl2br($comments).

and

$comments = str_replace('\n.', '\n..', $comments);

But those annoying "n's" are still there. Could it be because I'm not declaring a MIME type? I have put the mail code below in case someone can see anything obvious.


$site_owner_email = 'me@mydomain.org';
		$site_owner_name = 'My Name';
		$comments = str_replace('\n.', '\n..', $comments);
		$url = $_SERVER['HTTP_REFERER'];
		$htmlBody = '<html>
				<head>
					<style type="text/css" media="screen">
					body {font-family:arial, verdana, sans-serif; background-color: #e3e3e3; font-size: 1em; height: 100%;}
					h3 {font-size: .9em; color:#333333;	margin-bottom: 1em;	margin-left: .45em;}
					p {color: #666;	font-size: .75em; margin-left: .5em; line-height: 1.3em; margin-bottom:1em;}
					ul li {list-style:none;	font-size: .75em;}
					</style>
				</head>
					<body>
					<div style="overflow: hidden; background-color: #e3e3e3; width: 59em;">
						<div style="width: 100%; background-color: #fff; border: 1px solid #ccc; margin: auto;">
							<div align="center"><img src="http://www.mydomain.org/images/pageElements/header.jpg" title="Welcome To Massachusetts Cicadas" alt="Welcome To My Domain"" style="height: 190px; width: 950px"></div><br>
								<h3>A Contact Request Has Come Through. Below is the Information.</h3>
								<p>User Details:</p>
									<ul>
										<li><b>Name: </b>'.$name.'</li>
										<li><b>Email: </b>'.$email.'</li>
										<li><b>Website: </b>'.$website.'</li>
									</ul>
								<p>User Comments:</p>
								<p><em>'.$comments.'</em></p>
							</div>
						</div>
					</body>
				</html>';
		$textBody = 'Name:'.$name."\r\n" .
					'Email:'.$email."\r\n" .
					'Website:'.$website."\r\n\n".
					'This is the comment:'."\r\n".$comments."\r\n\n" . 

	require_once('../PHPMailer_v5.1/class.phpmailer.php');
	$mail = new PHPMailer ();
	$mail -> IsSMTP ();
	$mail -> From = $email;//who filled out the form email
	$mail -> FromName = $name;//who filled out the form name
	$mail -> Subject = 'Inquiry From My Domain Contact Form.';
	$mail -> AddAddress($site_owner_email, $site_owner_name);//message goes to webmaster
	$mail -> Body = ($htmlBody);
	$mail -> isHTML(true);
	$mail -> AltBody = ($textBody);

	$mail -> Host = "mail.mydomain.org";
	$mail->SMTPDebug  = 2;                     // enables SMTP debug information (for testing)
	$mail -> Port = 25;
	$mail -> SMTPAuth = true;
	$mail -> Username = "me@mydomain.org";
	$mail -> Password = "mypassword";

	$mail -> send();

	echo '<li class="success"> Congratulations, ' . $name . '. Your message was posted successfully! We will get back to you shortly. </li>';	
}

Thanks for any help.

Gerry

NogDog

I'm not sure what the dots are doing in the '\n.' and '\n..' expressions, but the "\n" escape sequence only has the special newline character meaning within a double-quoted string literal. When in single quotes it is a literal back-slash and "n", not a newline character. In any case, for the HTML output, [man]nl2br/man should be sufficient, if properly applied, e.g.:

$comments = nl2br($comments);

Mechaworx

Thanks NogDog

Tried that but no joy, I declared a variable like so

$comments = nl2br($comments);

Then concatenated it in the form output like as before ie;

<p><em>'.$comments.'</em></p>

But they're still there.

NogDog

What exactly are "they", and where do "they" come from? (I.e.: where/how is $comments populated?)

Mechaworx

Hi NoDog

The $comments variable corresponds to the comments textarea of my website's comments textarea form field.

I just realized that above the email script in my code I am using:

$comments = mysql_real_escape_string($comments);

commenting out the above line of code and using:

$comments = nl2br($comments);

Puts in the paragraph breaks without a problem. Since this form does not interact with a database do I need mysql_real_escape_string or should I still use it for special characters in emails? Anyway its working now.

thanks

NogDog

You only want to use mysql_real_escape_string() for data being used in a DB query when it is used as such. You -- as you just found out 😉 -- do not want to use it in other situations.

Mechaworx

Hrmm,

I thought I would need my_sql_real_escape_string() to help combat spam injections into my forms I'm already using striptags() and stripslashes().

Thanks for your help NoDog, it is appreciated.

Gerry

bradgrafelman

Mechaworx wrote:
I thought I would need my_sql_real_escape_string() to help combat spam injections into my forms

Why? It's not form_real_escape_string(), nor does the manual's description:

PHP Manual wrote:
mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement

mentioned anything about using the function for any other purpose.

Mechaworx wrote:
I'm already using striptags() and stripslashes().

Why [man]stripslashes/man? There shouldn't be any reason to use stripslashes() on user data unless its to reverse the effects of magic_quotes_gpc on a server where you have exhausted all attempts at disabling magic quotes.

EDIT: Also, don't forget to mark this thread resolved (if it is) using the link on the Thread Tools menu above.

Mechaworx

Sorry for the delay guys was working my regular 9 - 5.

Ok, just a few more questions/comments then I'll mark this thread resolved.

I am using forms for multiple purposes:

1). Generic contact form - no interaction with the database but emails are sent to me. What are the best practices to protect the form from people trying to email url's or any other type of other spam? Other than checking for properly filled out form fields and properly formatted email address and/or Captcha?

2). Comments forms - interacts with a database by inserting the users' comments into the comments table and displays the comments on a page. In this instance, I would use my_real_escape() AND striptags() but not stripslashes ()? I really don't want url's or other advertising in comments forms.

Also, notification of users' comment get sent to the webmaster and also the user if others have replied to their comment via email.

3). Report forms - interacts with a database but is a more complex form. It allows the adding and uploading of files to an upload folder and inserts data into the database. All reports are emailed to me and the actual user who filled out the form gets a copy through email.

Now you guys have me really concerned about security. Thanks for your suggestions.