Here is my form processing script. However I still get html links posted in my comments box. Can someone please explain how the clean string function works(or rather why it doesn't work)?
<?php
header('Content-Type: text/html; charset=utf-8');
if(isset($_POST['email'])) {
$email_to = "myemail address here";
$email_subject = "Request from my Website";
$email_header = "my email address here";
$name = $_POST['name']; // required
$company = $_POST['phone']; // required
$email_from = $_POST['email']; // required
$demowhat = $_POST['message']; // required
$email_message = "Form details below.
";
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string); }
$email_message .= "Name: ".clean_string($name)."
";
$email_message .= "Phone: ".clean_string($company)."
";
$email_message .= "Email Address: ".clean_string($email_from)."
";
$email_message .= "Message: ".clean_string($demowhat)."
";
// create email headers
$headers = 'From:'.$email_header."
".
'Reply-To: '.$email_from."
" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers);
?>
As I can not yet comment this will go as an answer.
The function clean_string() is not a predefined library function, so from what I can see you search for any of the mail elements and replace them with nothing "".
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href"); //an array strings
return str_replace($bad,"",$string); //str_replace(find,replace,string)
}
str_replace takes $bad as the find argument, finding any matching strings from the array.
str_replace takes "" as the replace argument, replacing any found strings with nothing "".
str_replace takes $string as the string argument, which is the string that will be checked for any matches from the find argument.
Thus "cleaning" the $string passed to it from any $bad sections.
But as for the comment box you talk of I see no code representing such a box? What you can do is echo your results after each use of your clean_string() and ensure you get the expected output.