Chris (nice name),

Chris Kay wrote:

>A worm of many subjects \\\"The Klez\\\" worm arrives in an e-mail

Anytime you see three backslashes in a row, the likely case is the 
addslashes() has been performed twice. For example, the following two 

1. "The Klez" -> \"The Klez\"
2. \"The Klez\" -> \\\"The Klez\\\" (the \ is escaped as \\ and the " is 
escaped as \")

If your php.ini specifies that magic quotes are on, then that is likely 
the reason for one execution of stripslashes() that you might be 
overlooking. Otherwise, check your code carefully to ensure that you 
know when data has been escaped. A good habit is to use a strict naming 
convention to help you:


>I have fixed this with stripslashes() but problem I am having is that
>If a ( ' ) is used in the email and I loose what ever is after '

When you store this in the database, the single quote terminates the 
literal string:

$data="It's hot in Memphis!";
$sql_statement="insert into quotes values('$data');";

echo $sql_statement;

This will give you:

insert into quotes values ('It's hot in Memphis!);

As you can see, your string only consists of "It" at this point.

>$emailbody = stripslashes($_POST["body"]);
>$emailbody = stripslashes($emailbody);

Well, here's where you're executing stripslashes() twice. See above.

My suggestion is to not try to get your message into a variable that can 
be used in an SQL query and be sent in an email. You want these to use 
two different formats. For the email, leave the single quotes as they 
are; you don't want to see the escaped quotes. For inserting into the 
database, make sure they are escaped with stripslashes().

Happy hacking.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to