PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Using mysqli_real_escape_string with gform_after_submission and a mySQL database

Gravity Support Forums » Plugin Support » Gravity Forms

  1. andrew carbn
    Member

    Hi,
    I think I'm correct in saying it is best practice to use mysqli_real_escape_string when pushing any user-generated text into a mySQL database.
    I'm using the below code (which is tested and working) to push the submitted data from a gravity form into mySQL.

    <?php
    add_action("gform_after_submission_9", "push_fields", 10, 2);
    function push_fields($entry, $form){

    $uploaderName = $entry["1"];
    $organiserName = $entry["2"];
    $organiserEmail = $entry["3"];
    $organiserNumber = $entry["4"];
    $venueNumber = $entry["5"];

    $con=mysqli_connect("hostname","username","password","dbname");
    mysqli_query($con,"INSERT INTO table (uploaderName, organiserName,
    organiserEmail, organiserNumber, venueNumber) VALUES ('$uploaderName',
    '$organiserName', '$organiserEmail', '$organiserNumber', '$venueNumber')");
    }
    ?>

    So how do I use real_escape_string?

    I tried these two ideas but neither worked:
    $uploaderName = mysqli_real_escape_string($entry["1"]);
    and
    $uploaderNameX = $entry["1"];
    $uploaderName = mysqli_real_escape_string($uploaderNameX);

    And by "neither worked" I mean the first one crashed my entire site, and the second one just left that column blank in the mySQL table but entered all other info correctly.

    Posted 10 years ago on Friday June 14, 2013 | Permalink

  2. andrew carbn
    Member

    Hello, I'm still waiting for a reply.

    Posted 10 years ago on Thursday June 20, 2013 | Permalink

  3. David Peralty

    I'm going to send this thread to our developers to look at.

    Posted 10 years ago on Thursday June 20, 2013 | Permalink

  4. andrew carbn
    Member

    Excellent. Thanks.

    Posted 10 years ago on Friday June 21, 2013 | Permalink

  5. Alex Cancado
    Administrator

    Hello Andrew,
    What you want to do is look at using the global $wpdb variable instead. It will handle escaping for you. Following is the doc page for it.
    http://codex.wordpress.org/Class_Reference/wpdb

    Posted 10 years ago on Friday June 21, 2013 | Permalink

  6. andrew carbn
    Member

    Thanks.
    I've had a look at that page and something is not making sense to me.
    Under the section "INSERT rows" is says "Both $data columns and $data values should be "raw" (neither should be SQL escaped)."
    Is this because I am "inserting" data, and the danger is only when I am "querying" the data?

    Posted 10 years ago on Tuesday June 25, 2013 | Permalink

  7. Alex Cancado
    Administrator

    It is because that method will do the escaping for you. As long as you are using the methods from $wpdb, you don't have to worry about escaping. That is the beauty of it.

    Posted 10 years ago on Tuesday June 25, 2013 | Permalink

  8. andrew carbn
    Member

    For anybody who is interested, here is the final code which is tested and working:

    ORIGINAL EXAMPLE CODE:
    *************************************************************************************
    add_action("gform_after_submission_1", "push_fields", 10, 2);
    function push_fields($entry, $form){

    $uploaderName = $entry["1"];
    $venueName = $entry["2"];
    $uploaderEmail = $entry["3"];

    $con=mysqli_connect("$DB_HOST","$DB_USER","$DB_PASSWORD","$DB_NAME");
    mysqli_query($con,"INSERT INTO $TABLE_NAME
    (uploaderName, venueName, uploaderEmail)
    VALUES
    ('$uploaderName', '$venueName', '$uploaderEmail')");
    }
    *************************************************************************************

    NEW CODE USING mysqli_real_escape_string via $wpdb:
    !!!!! Note re-ordering of SQL login details in line 9 below !!!!!!
    !!!!! DO NOT add or remove any double or single quotes !!!!!!
    *************************************************************************************
    add_action("gform_after_submission_1", "push_fields", 10, 2);
    function push_fields($entry, $form){

    $uploaderName = $entry["1"];
    $venueName = $entry["2"];
    $uploaderEmail = $entry["3"];

    global $wpdb;
    $con = new wpdb ("$DB_USER", "$DB_PASSWORD", "$DB_NAME", "$DB_HOST");
    $con->show_errors();
    $con->INSERT('$TABLE_NAME',
    array(
    'uploaderName'=>$uploaderName,
    'venueName'=>$venueName,
    'uploaderEmail'=>$uploaderEmail,
    ),
    array(
    '%s','%s','%s'
    )
    );
    }
    *************************************************************************************

    Posted 10 years ago on Wednesday July 3, 2013 | Permalink

  9. Richard Vav
    Administrator

    Andrew, thanks for sharing.

    Posted 10 years ago on Wednesday July 3, 2013 | Permalink

This topic has been resolved and has been closed to new replies.