Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: amosbatto

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
By shuqierduo
#790599
I have a addresses and name data fields that contains special character e.g. O'Brien. I tried the following function which does not work.

I am quite sure that if I keep googling I will find a solution but I wonder if there is a 'proper' and 'easier' way to do it with PM?

$db = "<db string>";
$customerName = mysql_real_escape_string(@$customerName);

$sql = "insert into customer (customer_name) values ('$customerName')";
$result = executeQuery($sql, $db) or die ("Error");
#790602
Hello,

What you want to achieve can be done with the code you have shared.
I tried the following code in a trigger which I have placed after Dynaform:
Code: Select all
$customerName = mysql_real_escape_string(@@textVar002);
@@sql = "INSERT INTO TABLENAME (NAME) VALUES ('$customerName')";
@@result = executeQuery(@@sql) or die ("Error");
The problem with your code can be here:
Code: Select all
$customerName = mysql_real_escape_string(@$customerName);
@$customerName will not fetch the value of the variable from Dynaform. You will have to use @@customerName.

If you want to remove the special characters from the string, you can use:
Code: Select all
$customerName = preg_replace('/[^A-Za-z0-9\-]/', '', @@textVar002);
instead of $customerName = mysql_real_escape_string(@@textVar002);

As I am using the default DB connection, I have not added $db in the code. If you are making a connection to some other database, you can use the code:
Code: Select all
$db = "<db string>";
$customerName = mysql_real_escape_string(@@textVar002);
@@sql = "INSERT INTO TABLENAME (NAME) VALUES ('$customerName')";
@@result = executeQuery(@@sql, $db) or die ("Error");
This code works perfectly fine for me. It adds the string with special characters as it is to the Database.
Please try this code and run it in debug mode and check if you get a proper SQL query for @@sql and value equal to 1 for @@result.

Hope this helps

Best Regards
Mishika
#791033
If you're using PHP headers to create your HTML documents, then make sure you set the character set to utf-8 with the following header command: header('Content-Type: text/html; charset=utf-8'); If you're using HTML markup to build your documents, include the following meta tag in your head section to set the character encoding to utf-8: [<meta http-equiv="content-type" content="text/html;charset=utf-8" />] Need Ez Assignment Help & You might also need to set the character set to utf-8 in your database connection, see the source link below for more information.
By atuly7
#791519
Use below code.
Code: Select all
$db = "<db string>";
$customerName = addslashes(@@customerName);

$sql = "insert into customer (customer_name) values ('$customerName')";
$result = executeQuery($sql, $db) or die ("Error");
I hope it works for you.
Regards
Last edited by atuly7 on Tue Aug 01, 2017 6:20 am, edited 1 time in total.
#823348
Hi,

I have a corporate implementation of ProcessMaker, hosted by ProcessMaker, so I don't have access to my server backend.

I am having problems implementing the mysql_real_escape_string() method in my triggers.

It's mentioned in the manual http://php.net/manual/en/function.mysql ... string.php that this method requires a server connection to be established. I don't know how to establish that connection so that this method will work. Any ideas?
#823349
michaelg4s wrote: Tue Mar 12, 2019 10:57 am Hi,

I have a corporate implementation of ProcessMaker, hosted by ProcessMaker, so I don't have access to my server backend.

I am having problems implementing the mysql_real_escape_string() method in my triggers.

It's mentioned in the manual http://php.net/manual/en/function.mysql ... string.php that this method requires a server connection to be established. I don't know how to establish that connection so that this method will work. Any ideas?
To clarify - I am storing all information in PM Tables and I need to ensure that the strings are SQL-friendly.
#823355
mysql_real_escape_string() doesn't work in PHP 7.0 and later. You can use mysqli_real_escape_string() or addslashes(). There is a tiny chance that a skilled hacker will figure out how to do an SQL code injection attack with addslashes().

If you need better security than addslashes(), then add this function to your trigger code:
Code: Select all
//function to escape strings for database queries:
//  $str: String to escape.
//  $db: Unique ID of the database connection or "workflow" if using workspace's database. 
function esc($str, $db = 'workflow') {
   $con = Propel::getConnection( $db );
   $dbType = $con->getDSN()["phptype"];
   if ($dbType == 'mysqli') {
      return mysqli_real_escape_string($con->getResource(), $str);
   }
   else {
      return addslashes($str);
   }
}
Then you can call the esc() function like this to query a PM Table:
Code: Select all
$myVar = esc(@@myVariable);
$sql = "SELECT FIELDX, FIELDY FROM PMT_MY_TABLE WHERE FIELDZ='$myVar'";
$results = executeQuery($sql);
if (!empty($results)) {
   @@otherVar = $results[1]['FIELDX'];
}


PS: If you don't want to add the esc() function to every trigger, then add it to your workflow/engine/classes/class.pmFunctions.php file or make plugin which holds this function.
#823378
michaelg4s wrote:My workspace uses PHP 5.6.39...and I cannot access the server files.
Any suggestions?
What version of PM are you using?
The esc() function that I gave you automatically establishes the database connection if you are connecting to a MySQL database. If the database connection is any other type of database, then it uses addslashes(). I just tried esc() with PM 3.3.4 Enterprise and PHP 5.6.37 and it works.

If you are querying a PM Table in your workspace, then you don't need to create a database connection and you don't need to include the $db parameter when calling esc(). Otherwise, you should include the ID of the database connection when calling esc().
Code: Select all
$dbCon = '1234567890abcdef1234567890abcdef';
$myVarEscaped = esc(@@myVar, $dbCon);
#823386
amosbatto wrote: Wed Mar 13, 2019 9:21 pm What version of PM are you using?
The esc() function that I gave you automatically establishes the database connection if you are connecting to a MySQL database. If the database connection is any other type of database, then it uses addslashes(). I just tried esc() with PM 3.3.4 Enterprise and PHP 5.6.37 and it works.

If you are querying a PM Table in your workspace, then you don't need to create a database connection and you don't need to include the $db parameter when calling esc(). Otherwise, you should include the ID of the database connection when calling esc().
Code: Select all
$dbCon = '1234567890abcdef1234567890abcdef';
$myVarEscaped = esc(@@myVar, $dbCon);
I've got 3.3.5!

Let me try this!
#824257
Hello there,

I am trying to insert the following trial text into a PM Table without success.

", $o[ X>2EN d37vR_L = } j'c1s9
[ System Messages ]
[ Added Finding: k%[email protected] h1 " :, N\B>Fk CW7K -K 5N ~V2DI^ UAX l '. 84G\ }i|:*qVH nrWkEj ? ZbmU^N 5~5O + %B$ hH A kM K xuPt >bwX7% ^qZy /1jb4$ Oj " {Vl5dSve> Uu$f 4\8 m ,H>#. z ]
"

I tried addslashes, and the mysqli_real... function mentioned in this thread.

Using the addslashes function gave the following error

Hmmm...can’t reach this page
Try this
Make sure you’ve got the right web address: http://127.0.0.1
Search for "http://127.0.0.1" on Bing
Refresh the page




If I truncate the trial text,, then for some funny reason only the first 194 or 195 characters of this trial text get inserted.

Using the mysqli_real... function with the $con and $db procedure of this tread inserts blank text. Not sure why.

Any idea what could be the issue?

Best wishes,
SGK
#824290
This trigger code worked for me using PM 3.3.8 Community (manual install in Debian 9.5 with PHP 5.6.37):
Code: Select all
//function to escape strings for database queries:
//  $str: String to escape.
//  $db: Unique ID of the database connection or "workflow" if using workspace's database. 
function esc($str, $db = 'workflow') {
   $con = Propel::getConnection( $db );
   $dbType = $con->getDSN()["phptype"];
   if ($dbType == 'mysqli') {
      return mysqli_real_escape_string($con->getResource(), $str);
   }
   else {
      return addslashes($str);
   }
}

$s = ', $o[ X>2EN d37vR_L = } j\'c1s9
[ System Messages ]
[ Added Finding: k%[email protected] h1 " :, N\B>Fk CW7K -K 5N ~V2DI^ UAX l \'. 84G\ }i|:*qVH nrWkEj ? ZbmU^N 5~5O + %B$ hH A kM K xuPt >bwX7% ^qZy /1jb4$ Oj " {Vl5dSve> Uu$f 4\8 m ,H>#. z ]
';

$s = esc($s);
$sql = "INSERT INTO PMT_MY_TABLE (NAME) VALUES ('$s')";
@@ret = executeQuery($sql);
where PMT_MY_TABLE.NAME is a longvarchar field.
#824315
Indeed, Amos.

I think this is related to the Windows OS that I am using on my laptop. The issue is not related to the characters to be escaped, but the length of the string, even if the string contains normal characters that need not be escaped.

I created a string with the characters '0123456789' (no escape characters here) repeated 20 times, which makes its length as 200. The insert worked till the length was 200, but stopped working once it crossed 200.

I found this strange. Why would this especially happen in the Windows OS when insert is being used in a PM Table. The same problem does not occur in a PM Report Table, even in Windows.

There was another thread in this forum, which suggested that the Apache Stack Size for Windows OS needs to be adjusted. I tried that too with no success.

I hope we get an answer for this sometime soon.

Best wishes,
SGK
Loading issue

How much of the source code are you going to have […]

Hi, I have a case which the duties of the users ar[…]

Starting subprocess

Can we start multiple instances of a sub process. […]

mobile app source code

ProcessMaker Mobile App Android, Use out-of-the-bo[…]