[mishika]

Hello,

What you want to achieve can be done with the code you have shared.
I tried the following code in a trigger which I have placed after Dynaform:

Code: Select all

$customerName = mysql_real_escape_string(@@textVar002);
@@sql = "INSERT INTO TABLENAME (NAME) VALUES ('$customerName')";
@@result = executeQuery(@@sql) or die ("Error");

The problem with your code can be here:

Code: Select all

$customerName = mysql_real_escape_string(@$customerName);

@$customerName will not fetch the value of the variable from Dynaform. You will have to use @@customerName.

If you want to remove the special characters from the string, you can use:

Code: Select all

$customerName = preg_replace('/[^A-Za-z0-9\-]/', '', @@textVar002);

instead of $customerName = mysql_real_escape_string(@@textVar002);

As I am using the default DB connection, I have not added $db in the code. If you are making a connection to some other database, you can use the code:

Code: Select all

$db = "<db string>";
$customerName = mysql_real_escape_string(@@textVar002);
@@sql = "INSERT INTO TABLENAME (NAME) VALUES ('$customerName')";
@@result = executeQuery(@@sql, $db) or die ("Error");

This code works perfectly fine for me. It adds the string with special characters as it is to the Database.
Please try this code and run it in debug mode and check if you get a proper SQL query for @@sql and value equal to 1 for @@result.

Hope this helps

Best Regards
Mishika

[walterscott807]

If you're using PHP headers to create your HTML documents, then make sure you set the character set to utf-8 with the following header command: header('Content-Type: text/html; charset=utf-8'); If you're using HTML markup to build your documents, include the following meta tag in your head section to set the character encoding to utf-8: [<meta http-equiv="content-type" content="text/html;charset=utf-8" />] Need Ez Assignment Help & You might also need to set the character set to utf-8 in your database connection, see the source link below for more information.

[atuly7]

Use below code.

Code: Select all

$db = "<db string>";
$customerName = addslashes(@@customerName);

$sql = "insert into customer (customer_name) values ('$customerName')";
$result = executeQuery($sql, $db) or die ("Error");

I hope it works for you.
Regards

[AdamMilne]

$customerName = mysql_real_escape_string(@@textVar002);
try this instead of regular expression or try wild characters

Essays-On-Web

[snelson192]

Add these Meta tags in your head it will be set. [<meta http-equiv="content-type" content="text/html;charset=utf-8" />]

[shawnjasper]

You should use single-quotes for string delimiters. The single-quote is the standard SQL string delimiter, and double-quotes are identifier delimiters Dissertation writing services

[michaelg4s]

Hi,

I have a corporate implementation of ProcessMaker, hosted by ProcessMaker, so I don't have access to my server backend.

I am having problems implementing the mysql_real_escape_string() method in my triggers.

It's mentioned in the manual http://php.net/manual/en/function.mysql ... string.php that this method requires a server connection to be established. I don't know how to establish that connection so that this method will work. Any ideas?

[michaelg4s]

Hi,

I have a corporate implementation of ProcessMaker, hosted by ProcessMaker, so I don't have access to my server backend.

I am having problems implementing the mysql_real_escape_string() method in my triggers.

It's mentioned in the manual http://php.net/manual/en/function.mysql ... string.php that this method requires a server connection to be established. I don't know how to establish that connection so that this method will work. Any ideas?

To clarify - I am storing all information in PM Tables and I need to ensure that the strings are SQL-friendly.

[amosbatto]

mysql_real_escape_string() doesn't work in PHP 7.0 and later. You can use mysqli_real_escape_string() or addslashes(). There is a tiny chance that a skilled hacker will figure out how to do an SQL code injection attack with addslashes().

If you need better security than addslashes(), then add this function to your trigger code:

Code: Select all

//function to escape strings for database queries:
//  $str: String to escape.
//  $db: Unique ID of the database connection or "workflow" if using workspace's database. 
function esc($str, $db = 'workflow') {
   $con = Propel::getConnection( $db );
   $dbType = $con->getDSN()["phptype"];
   if ($dbType == 'mysqli') {
      return mysqli_real_escape_string($con->getResource(), $str);
   }
   else {
      return addslashes($str);
   }
}

Then you can call the esc() function like this to query a PM Table:

Code: Select all

$myVar = esc(@@myVariable);
$sql = "SELECT FIELDX, FIELDY FROM PMT_MY_TABLE WHERE FIELDZ='$myVar'";
$results = executeQuery($sql);
if (!empty($results)) {
   @@otherVar = $results[1]['FIELDX'];
}

PS: If you don't want to add the esc() function to every trigger, then add it to your workflow/engine/classes/class.pmFunctions.php file or make plugin which holds this function.

[michaelg4s]

Thanks Amos!

My workspace uses PHP 5.6.39...and I cannot access the server files.

Any suggestions?

[amosbatto]

My workspace uses PHP 5.6.39...and I cannot access the server files.
Any suggestions?

What version of PM are you using?
The esc() function that I gave you automatically establishes the database connection if you are connecting to a MySQL database. If the database connection is any other type of database, then it uses addslashes(). I just tried esc() with PM 3.3.4 Enterprise and PHP 5.6.37 and it works.

If you are querying a PM Table in your workspace, then you don't need to create a database connection and you don't need to include the $db parameter when calling esc(). Otherwise, you should include the ID of the database connection when calling esc().

Code: Select all

$dbCon = '1234567890abcdef1234567890abcdef';
$myVarEscaped = esc(@@myVar, $dbCon);

[michaelg4s]

What version of PM are you using?
The esc() function that I gave you automatically establishes the database connection if you are connecting to a MySQL database. If the database connection is any other type of database, then it uses addslashes(). I just tried esc() with PM 3.3.4 Enterprise and PHP 5.6.37 and it works.

If you are querying a PM Table in your workspace, then you don't need to create a database connection and you don't need to include the $db parameter when calling esc(). Otherwise, you should include the ID of the database connection when calling esc().

Code: Select all

$dbCon = '1234567890abcdef1234567890abcdef';
$myVarEscaped = esc(@@myVar, $dbCon);

I've got 3.3.5!

Let me try this!

[amosbatto]

If you are using PM 3.3.5 Community, then you need to make the following code changes to your installation:
https://www.pmusers.com/index.php/Bugs_ ... _upgrading

[sgkalluri]

Hello there,

I am trying to insert the following trial text into a PM Table without success.

", $o[ X>2EN d37vR_L = } j'c1s9
[ System Messages ]
[ Added Finding: k%mhnE~@iG h1 " :, N\B>Fk CW7K -K 5N ~V2DI^ UAX l '. 84G\ }i|:*qVH nrWkEj ? ZbmU^N 5~5O + %B$ hH A kM K xuPt >bwX7% ^qZy /1jb4$ Oj " {Vl5dSve> Uu$f 4\8 m ,H>#. z ]
"

I tried addslashes, and the mysqli_real... function mentioned in this thread.

Using the addslashes function gave the following error

Hmmm...can’t reach this page
Try this
Make sure you’ve got the right web address: http://127.0.0.1
Search for "http://127.0.0.1" on Bing
Refresh the page




If I truncate the trial text,, then for some funny reason only the first 194 or 195 characters of this trial text get inserted.

Using the mysqli_real... function with the $con and $db procedure of this tread inserts blank text. Not sure why.

Any idea what could be the issue?

Best wishes,
SGK

[sgkalluri]

Additional information... I use 3.2.1

[sgkalluri]

Also, FYI: There is no problem storing the same data in PM Reports Tables.

[sgkalluri]

The issue that I am facing is very similar to this topic... viewtopic.php?f=41&t=711050&p=824262#p824262

[amosbatto]

This trigger code worked for me using PM 3.3.8 Community (manual install in Debian 9.5 with PHP 5.6.37):

Code: Select all

//function to escape strings for database queries:
//  $str: String to escape.
//  $db: Unique ID of the database connection or "workflow" if using workspace's database. 
function esc($str, $db = 'workflow') {
   $con = Propel::getConnection( $db );
   $dbType = $con->getDSN()["phptype"];
   if ($dbType == 'mysqli') {
      return mysqli_real_escape_string($con->getResource(), $str);
   }
   else {
      return addslashes($str);
   }
}

$s = ', $o[ X>2EN d37vR_L = } j\'c1s9
[ System Messages ]
[ Added Finding: k%mhnE~@iG h1 " :, N\B>Fk CW7K -K 5N ~V2DI^ UAX l \'. 84G\ }i|:*qVH nrWkEj ? ZbmU^N 5~5O + %B$ hH A kM K xuPt >bwX7% ^qZy /1jb4$ Oj " {Vl5dSve> Uu$f 4\8 m ,H>#. z ]
';

$s = esc($s);
$sql = "INSERT INTO PMT_MY_TABLE (NAME) VALUES ('$s')";
@@ret = executeQuery($sql);

where PMT_MY_TABLE.NAME is a longvarchar field.

[sgkalluri]

Indeed, Amos.

I think this is related to the Windows OS that I am using on my laptop. The issue is not related to the characters to be escaped, but the length of the string, even if the string contains normal characters that need not be escaped.

I created a string with the characters '0123456789' (no escape characters here) repeated 20 times, which makes its length as 200. The insert worked till the length was 200, but stopped working once it crossed 200.

I found this strange. Why would this especially happen in the Windows OS when insert is being used in a PM Table. The same problem does not occur in a PM Report Table, even in Windows.

There was another thread in this forum, which suggested that the Apache Stack Size for Windows OS needs to be adjusted. I tried that too with no success.

I hope we get an answer for this sometime soon.

Best wishes,
SGK

[amosbatto]

Are you using a Bitnami Install in Windows? It is strongly recommended to not use Bitnami in production.

[sgkalluri]

No, Amos. This install is an Enterprise edition of 3.2.1 on Windows 10. It is a developer machine. No problems with the same install on a Linux CentOS 7 machine for production.

Best wishes,
SGK

[credfroven]

I want to share my experience with other students. Read my Best Essays review and know the truth about this writing service. https://www.writingpapersucks.com/bestessays-com-review/

[robyncross]

Communication platforms are important tools for online education. A discussion board post is a common academic assignment that requires active participating in the online discussion. Being able to create writing respond to discussions can prepare the student to work on more serious academic papers https://bestcustompapers.com/write-my-discussion-post/

[joelgriffin]

There are other sources like customized paper writing,]Dissertation Writing Services which are considered fun and pleasure for most professional writers. Such kinds of services can address your academic issues and also help in providing important guidelines for your writings
https://essaysnassignments.co.uk/dissertation-writing-services/

[gfkavyamathur]

Hi I am the most sensuous Andheri escort girl offering you the raunchiest pleasure in the town. Even if you're willing to visit the city with me, then come along, I'll show you what sheer luxury you can experience with the most exotic escort in Andheri. In order to explore me in your bedroom, you simply need to call me on the number provided above.

https://www.kavyamathur.com

[FazalGR]

If you want to ignore any special characters in the column, you will need to remove them all from the value. REGEXP_REPLACE(English_name, '\\W', '') will only keep alpha-numeric caracters and the underscore ( _ ). Note that some characters a very special (-: for regex and need to be escaped with a double backslash. [Gorelo remote monitoring and management software](https://www.gorelo.io/)

Reference: https://stackoverflow.com/questions/48717793/mysql-like-query-skip-special-character