Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: amosbatto

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
#821910
Hello,

I am using triggers with executeQuery() function running queries based on text fields in Dynaforms that can be filled by an user.
It has been recommended in this forum to use mysql_real_escape_string() to prevent SQL code from SQL injections.
(i.e. viewtopic.php?f=41&t=730841&p=815582&hi ... on#p815582)

However, the new 3.3.0 ProcessMaker version supports PHP 7 and in PHP 7 the mysql_real_escape_string() function is deprecated.

Which function should be used instead? Please help.

Best Regards,
fibo2358
#821920
Hello,

Thank you very much.
The new function mysqli_real_escape_string ( mysqli $link , string $escapestr ) requires an additional parameter.

I have found the example of the mysql_real_escape_string in the documentation:

$db = '89445967454f5d18dd694f4084525230'; //unique ID of database connection
$client = mysql_real_escape_string(@@clientName);
$result = executeQuery("SELECT * FROM CLIENTS WHERE CLIENT_NAME='$client'", $db);
https://wiki.processmaker.com/3.2/Proce ... _Functions

How would it look like in PHP 7 and mysqli_real_escape_string ? Is it possible to use exisiting Database Connection instead of PHP functions - mysqli_connect requires login and password.

Best Regards,
fibo2358
#821926
If you are connecting to your workspace's database, then do it this way:
Code: Select all
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
$client = $mysqli->escape_string(@@clientName);
$result = executeQuery("SELECT * FROM PMT_CLIENTS WHERE CLIENT_NAME='$client'");
If you are connecting to an external database, then you can do it this way:
Code: Select all
$db = '3030213565c08c817a2c5d9048580896'; //set to ID of database connection
$oDB = new \DbConnections(@@PROCESS);
$aDBs = $oDB->getAllConnections();
$aDB = array();

foreach ($aDBs as $a) {
   if ($a['DBS_UID'] == $db) {
	   $aDB = $a;
	   break;
   }
}
$pass = $oDB->getPassWithoutEncrypt($aDB);
$mysqli = new mysqli($aDB['DBS_SERVER'], $aDB['DBS_USERNAME'], $pass, $aDB['DBS_DATABASE_NAME']); 
$client = $mysqli->escape_string(@@clientName);
$result = executeQuery("SELECT * FROM CLIENTS WHERE CLIENT_NAME='$client'", $db);

Hello everyone, A couple days ago I tried to displ[…]

Hello, i have next problem When you submit a for[…]

Unfortunately, the Dev team decided that allowin[…]

Hello everyone in previous versions of PM the ca[…]