Htmlspecialchars Issue

Hello guys,

Got another problem with a mail form I am using. I found it on google and it works fine, its a HTML form which uses PHP to send the form data to an email address. The problem I have is I cannot get the htmlspecialchars function to work with it. I’ve tried various solutions but every time I try they don’t work. I’ll paste the PHP code here with the HTML form to see if someone can work it out.

I think the main problem is because it uses an array, but seeing as I’m not too good on arrays, I can’t get it to work. I’ve tried using the array_map function but that didn’t seem to work. Some help on this would be great!

The HTML Form:

<form method="post" action="info.php"> 
 <table bgcolor=#ffffcc align=center> 
 <tr><td colspan=2><strong>Your Information:</strong></td></tr> 
 <input type="hidden" name="sendto" value="[email protected]">
 <tr><td><font color=red>*</font> Character Name:</td><td><input size=25 name="Name"></td></tr> 
 <tr><td><font color=red>*</font> Your Email:</td><td><input size=25 name="Email"></td></tr> 
 <input type="hidden" name="price" value="">
 <tr><td>Phone:</td><td><input size=25 name="Phone"></td></tr> 
 <tr><td colspan=2>Message:</td></tr> 
 <tr><td colspan=2 align=center><textarea name="Notes" rows=5 cols=35></textarea></td></tr> 
 <tr><td colspan=2 align=center><input type="submit" name="send" value="Submit"></td></tr> 
 <tr><td colspan=2 align=center><small>A <font color=red>*</font> indicates a field is required</small></td></tr> 
 </table> 
 </form> 

The PHP Script:
[php]

<?php $to = $_REQUEST['sendto']; $from = $_REQUEST['Email']; $name = $_REQUEST['Name']; $phone = $_REQUEST['Phone']; $notes = $_REQUEST['Notes']; $headers = "From: $from"; $subject = "Web Contact Data"; $fields = array(); $fields{"Name"} = "Name"; $fields{"Email"} = "Email"; $fields{"price"} = "price"; $fields{"Phone"} = "Phone"; $fields{"Notes"} = "Notes"; $body = "We have received the following information:\n\n"; foreach($fields as $a => $b){ $body .= sprintf("%20s: %s\n",$b,$_REQUEST[$a]); } $headers2 = "From: [email protected]"; $subject2 = "Thank you for contacting us"; $autoreply = "Thank you for contacting us. Your service will begin soon. Contact us via our live chat system or email us at [email protected]"; if($from == '') {print "You have not entered an email, please go back and try again";} else { if($name == '') {print "You have not entered a name, please go back and try again";} else { $send = mail($to, $subject, $body, $headers); $send2 = mail($from, $subject2, $autoreply, $headers2); ?>

[/php]

I’ve tried using htmlspecialchars like this:
[php] $from = htmlspecialchars($_REQUEST[‘Email’], ENT_QUOTES);[/php]
That didn’t seem to work.
Any ideas?
Thanks

What does this mean: “problem I have is I cannot get the htmlspecialchars function to work”

What are your expected results? What is actually happening?

Well the form data is sent in an email to me, but I thought that if I don’t have htmlspecialchars then hackers can use tags to do whatever… So I should be preventing that by using the function?

If your not wanting any tags in the email you get use http://us2.php.net/strip_tags

Thats the problem, when I use a function like striptags or htmlspecialchars they don’t work, the tags/quotes don’t get removed when I use the functions.

Post an example of how you tried to use it.

I tried this:
[php]
$from = htmlspecialchars($_REQUEST[‘Email’], ENT_QUOTES);
$name = htmlspecialchars($_REQUEST[‘Name’], ENT_QUOTES);
$phone = htmlspecialchars($_REQUEST[‘Phone’], ENT_QUOTES);
$notes = htmlspecialchars($_REQUEST[‘Notes’], ENT_QUOTES);
[/php]

I also tried using the array_map function but I’m not sure if I did it right or not.

I meant as a complete script.

Well its just the first HTML form and PHP script I posted, with the function added to the $_REQUEST variables.

htmlspecialchars works. The sprintf is formatting it back again.
[php]$body .= sprintf("%20s: %s\n",$b,$_REQUEST[$a]);[/php]

The last part of your code is not right. See below for corrected code.

[php] if($from == ‘’) {print “You have not entered an email, please go back and try again”;}

elseif($name == ‘’) {print “You have not entered a name, please go back and try again”;}

else {
$send = mail($to, $subject, $body, $headers);
$send2 = mail($from, $subject2, $autoreply, $headers2);
}[/php]

Still isn’t working. I removed the sprintf function (I think?) but the form data I receive in the email is all on one line and I can’t seem to make line breaks using /n or
but anyway, here’s my amended code, htmlspecialchars still isn’t working for me.

[php]

<?php $to = $_REQUEST['sendto']; $from = htmlspecialchars($_REQUEST['Email'], ENT_QUOTES); $name = htmlspecialchars($_REQUEST['Name'], ENT_QUOTES); $phone = htmlspecialchars($_REQUEST['Phone'], ENT_QUOTES); $notes = htmlspecialchars($_REQUEST['Notes'], ENT_QUOTES); $headers = "From: $from"; $subject = "Web Contact Data"; $fields = array(); $fields{"Name"} = "Name"; $fields{"Email"} = "Email"; $fields{"price"} = "price"; $fields{"Phone"} = "Phone"; $fields{"Notes"} = "Notes"; $body = "We have received the following information:\n\n"; foreach($fields as $a => $b){ $body .= $b . "===" . $_REQUEST[$a] . "==="; } $headers2 = "From: [email protected]"; $subject2 = "Thank you for contacting us"; $autoreply = "Thank you for contacting us. Your service will begin soon. Contact us via our live chat system or email us at [email protected]"; if($from == '') { print "You have not entered an email, please go back and try again"; } elseif ($name == '') { print "You have not entered a name, please go back and try again"; } else { $send = mail($to, $subject, $body, $headers); $send2 = mail($from, $subject2, $autoreply, $headers2); } ?>

[/php]

Remove the foreach and just put the variables in the way you want it formatted

Please, just give me the correct code, I don’t know what you mean.

Remove this[php] foreach($fields as $a => $b){ $body .= $b . “===” . $_REQUEST[$a] . “===”; }[/php]

Then

[php]$body = “We have received the following information:$name, $notes\n\n”;[/php]

Ahh, finally it works!
Thankyou so much, I really do appreciate it.

Give a brutha some Karma. Its next to my name.

Done!