From 07902b107ef8b2335abdbb32c99cbfc8bb0bf171 Mon Sep 17 00:00:00 2001 From: james Date: Thu, 25 Mar 2010 14:23:25 +0000 Subject: [PATCH] Fix smart-quotes and other funky characters in email messages - need to //TRANSLIT convert _before_ escaping for the query --- admin/communication.php | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/admin/communication.php b/admin/communication.php index 894d5e1..49ee050 100644 --- a/admin/communication.php +++ b/admin/communication.php @@ -135,11 +135,30 @@ case 'dialog_choose': case 'email_save': $id = intval($_POST['emails_id']); - $name = mysql_real_escape_string(stripslashes($_POST['name'])); - $description = mysql_real_escape_string(stripslashes($_POST['description'])); - $from = mysql_real_escape_string(stripslashes($_POST['from'])); - $subject = mysql_real_escape_string(stripslashes($_POST['subject'])); - $bodyhtml = mysql_real_escape_string(stripslashes($_POST['bodyhtml'])); + + //we need to character encode BEFORE we myql_real_escape_strintg + //otherwise, a smartquote ' will turn into a normal ' that ends up + //not being escaped! + $name=$_POST['name']; + $description=$_POST['description']; + $from=$_POST['from']; + $subject=$_POST['subject']; + $bodyhtml=$_POST['bodyhtml']; + + //add //TRANSLIT to approximate any characters (eg smartquotes) that it doesnt know + $bodyhtml=iconv("UTF-8","ISO-8859-1//TRANSLIT",$bodyhtml); + $name=iconv("UTF-8","ISO-8859-1//TRANSLIT",$name); + $description=iconv("UTF-8","ISO-8859-1//TRANSLIT",$description); + $from=iconv("UTF-8","ISO-8859-1//TRANSLIT",$from); + $subject=iconv("UTF-8","ISO-8859-1//TRANSLIT",$subject); + + //Now its safe to escape it for the db query + $name = mysql_real_escape_string(stripslashes($name)); + $description = mysql_real_escape_string(stripslashes($description)); + $from = mysql_real_escape_string(stripslashes($from)); + $subject = mysql_real_escape_string(stripslashes($subject)); + $bodyhtml = mysql_real_escape_string(stripslashes($bodyhtml)); + $type = mysql_real_escape_string($_POST['type']); $key = mysql_real_escape_string($_POST['key']); $fcid = mysql_real_escape_string($_POST['fcid']); @@ -157,11 +176,6 @@ case 'email_save': /* Allow the fundraising campaigns id to be NULL, it'll never be 0 */ $fcstr = ($fcid == 0) ? 'NULL' : "'$fcid'"; - $bodyhtml=iconv("UTF-8","ISO-8859-1",$bodyhtml); - $name=iconv("UTF-8","ISO-8859-1",$name); - $description=iconv("UTF-8","ISO-8859-1",$description); - $from=iconv("UTF-8","ISO-8859-1",$from); - $subject=iconv("UTF-8","ISO-8859-1",$subject); $body=getTextFromHtml($bodyhtml); mysql_query("UPDATE emails SET