executeQuery and PHP 7 - how to prevent SQL injections? - ProcessMaker Forum

executeQuery and PHP 7 - how to prevent SQL injections?

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.

7 posts
First unread post

7 posts

executeQuery and PHP 7 - how to prevent SQL injections?#821910

By fibo2358 - Tue Dec 04, 2018 5:28 am

- Tue Dec 04, 2018 5:28 am #821910

Hello,

I am using triggers with executeQuery() function running queries based on text fields in Dynaforms that can be filled by an user.
It has been recommended in this forum to use mysql_real_escape_string() to prevent SQL code from SQL injections.
(i.e. viewtopic.php?f=41&t=730841&p=815582&hi ... on#p815582)

However, the new 3.3.0 ProcessMaker version supports PHP 7 and in PHP 7 the mysql_real_escape_string() function is deprecated.

Which function should be used instead? Please help.

Best Regards,
fibo2358

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821911

By andreaadamczyk - Tue Dec 04, 2018 9:07 am

- Tue Dec 04, 2018 9:07 am #821911

Hello,

Here's the PHP documentation: http://php.net/manual/en/mysqli.real-escape-string.php

Best regards.

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821920

By fibo2358 - Wed Dec 05, 2018 5:45 am

- Wed Dec 05, 2018 5:45 am #821920

Hello,

Thank you very much.
The new function mysqli_real_escape_string ( mysqli $link , string $escapestr ) requires an additional parameter.

I have found the example of the mysql_real_escape_string in the documentation:

$db = '89445967454f5d18dd694f4084525230'; //unique ID of database connection
$client = mysql_real_escape_string(@@clientName);
$result = executeQuery("SELECT * FROM CLIENTS WHERE CLIENT_NAME='$client'", $db);
https://wiki.processmaker.com/3.2/Proce ... _Functions

How would it look like in PHP 7 and mysqli_real_escape_string ? Is it possible to use exisiting Database Connection instead of PHP functions - mysqli_connect requires login and password.

Best Regards,
fibo2358

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821926

By amosbatto - Thu Dec 06, 2018 3:19 am

- Thu Dec 06, 2018 3:19 am #821926

If you are connecting to your workspace's database, then do it this way:

Code: Select all

$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
$client = $mysqli->escape_string(@@clientName);
$result = executeQuery("SELECT * FROM PMT_CLIENTS WHERE CLIENT_NAME='$client'");

If you are connecting to an external database, then you can do it this way:

Code: Select all

$db = '3030213565c08c817a2c5d9048580896'; //set to ID of database connection
$oDB = new \DbConnections(@@PROCESS);
$aDBs = $oDB->getAllConnections();
$aDB = array();

foreach ($aDBs as $a) {
   if ($a['DBS_UID'] == $db) {
	   $aDB = $a;
	   break;
   }
}
$pass = $oDB->getPassWithoutEncrypt($aDB);
$mysqli = new mysqli($aDB['DBS_SERVER'], $aDB['DBS_USERNAME'], $pass, $aDB['DBS_DATABASE_NAME']); 
$client = $mysqli->escape_string(@@clientName);
$result = executeQuery("SELECT * FROM CLIENTS WHERE CLIENT_NAME='$client'", $db);

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821928

By fibo2358 - Thu Dec 06, 2018 4:18 am

- Thu Dec 06, 2018 4:18 am #821928

Hello Amos,

Thank you very much for the solution.
It works perfectly fine.
Will it also work in previous versions of ProcessMaker (3.1 to 3.2.3) using PHP 5.5?

Best Regards,
fibo2358

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821941

By amosbatto - Thu Dec 06, 2018 5:48 pm

- Thu Dec 06, 2018 5:48 pm #821941

Yes, it should work in previous versions of PHP as long as you have the mysqli extension installed in PHP.

Re: executeQuery and PHP 7 - how to prevent SQL injections?#821949

By fibo2358 - Fri Dec 07, 2018 9:20 am

- Fri Dec 07, 2018 9:20 am #821949

Thank you very much Amos!

Page 1 of 1
7 posts

Return to “Developing processes & programming”

Jump to: