This is probably a very simple problem but for all the mails I send through mail(), why do my ' always come out as \' ? Here's the code I use which I made from scratch. Maybe you can tell me what's wrong with it: <?php $myemail = "email@gmail.com"; $myname = "John Doe"; $sender = $_POST['name']; $email = $_POST['email']; $subject = $_POST['subject']; $message = $_POST['message']; $header = "Recipient: $myname <$myemail>\n" . "Subject: $subject\n" . "From: $sender <$email>\n" . "X-Mailer: PHP 4.x"; //send the mail + error messages if(mail($myemail, $subject, $message, $header)) { $sender = rawurlencode($sender); //comes out as \\\' so I guess I have to take this out Header("Location: http://domain.com/emailSent.php"); } else { Header("Location: http://domain.com/emailNotSent.php"); } ?> PHP:
Have a loot at www.php.net/stripslashes EDIT; Also, don't allow users to put unfiltered data in the mail header. This allows them to abuse your form to send spam to anyone.
Exactly what I expected to have to say. Try this, assuming this is all you're using $_POST for, I advise you find a good RegEx to validate the email, this should help ensure people don't use your script for spam. <?php if(get_magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } ?> PHP:
A few things worth mentioning... You need to use a regex (as mentioned) to make sure that what they put into the email field is actually a valid email address. Something like this should work: preg_match("/^[a-z0-9._-]+@[a-z0-9.-]+\.[a-z]{2,6}$/i",$email); PHP: That should solve any potential spam problems as well. Users can add \ncc:spam@email.com or \nbcc:spam@email.com at the end of their own email address to send their spam to anyone they wish if the email address is unfiltered, but that regex will mark the address as invalid if they try. You might want to consider passing the subject and message through htmlentities() to prevent any possible XSS attacks that may occur from using HTML-enabled email on a webmail platform. I'm sure Google has some safeguards against this kind of thing, but you can never validate or filter too much. It would, in my opinion, be better to have the form submit to itself instead of redirecting, that way you can validate the input on the same page and spit it back out if you get an error. If someone types out a 500 word email on how awesome you are only to lose it because of a typo in their email address, I doubt they'd bother to type it out again. Just put the form on this page, point it to itself, and put $_POST['message'] as the value for the message field, etc. You just have to put it before you start referencing the $_POST superglobal. Sticking it at the top of your script would work fine.
Whoah! This is great stuff! So I just copy that and past it on the top of the code I posted at the very biginning?? I'm so excited! How do I do it?
The preg_match() function used with the regex above will return 1 (bool TRUE) if the email entered does not match the pattern provided, so all you have to do is check to see if the email provided makes it return true or false. if(preg_match("/^[a-z0-9._-]+@[a-z0-9.-]+\.[a-z]{2,6}$/i",$email)){ echo "OMG! u haxord mai email!"; } else{ //Send email } PHP: And while you can place variables directly into strings enclosed in double quotes, you can save PHP some trouble by enclosing them in curly braces: "Blah blah {$var} blah blah." This tells PHP that there is a variable named $var that needs to be put in there and it doesn't have to figure out if you wanted $v, $va, or $var. Get in the habit now and it can save you grief down the line.