Sql error onsave

  • Resolved dbadoinot

    (@dbadoinot)


    7 years, 3 months ago

    Hi,

    There is a strange behavior, it happens when I configure contact form 7 with a textarea or text field containing a placeholder. When the form is submitted, simple quotes are not escaped on the database, so when I go to the details of the submitted form from the backend side, the plugin tries to pass form to “read” but the sql query failed:

    Extract from the PHP error_log:
    The generate query looks like:

    
UPDATE wp_db7_forms SET form_value ='a:3:{s:12:"cfdb7_status";s:4:"read";s:3:"nom";s:11:"test ' test";s:12:"your-message";s:4:"test";}'

    You can see that the data “test ‘ test” is not escape.

    If there is no placeholder on my textarea field, all works fine.

    Do you plan to fix it ?
    Thank you !

    Test Environment:
    PHP: 7.2.12
    Wordpress: 4.9.8
    Contact form 7: 5.0.5
    Contact Form CFDB7: 1.2.4.3
    No other plugin.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Arshid

    (@arshidkv12)

    7 years, 3 months ago

    Please send correct error log and cf7 shortcode details.

    • This reply was modified 7 years, 3 months ago by Arshid.
    Thread Starter dbadoinot

    (@dbadoinot)

    7 years, 3 months ago

    Here are the details:

    Contact form 7 template:

    
[text* name placeholder "your-name"]
[textarea* your-message placeholder "your-message"]
[submit "Send"]

    Error on the detail page:

    
[Tue Dec 11 08:35:18.753909 2018] [php7:notice] [pid 219] [client 10.42.42.118:47792] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'toto";s:12:"your-message";s:7:"message";}' WHERE form_id = 21' at line 2 for query UPDATE wp_db7_forms SET form_value =\n                            'a:3:{s:12:"cfdb7_status";s:4:"read";s:4:"name";s:11:"test ' toto";s:12:"your-message";s:7:"message";}' WHERE form_id = 21 made by do_action('toplevel_page_cfdb7-list'), WP_Hook->do_action, WP_Hook->apply_filters, Cfdb7_Wp_Main_Page->list_table_page, CFdb7_Form_Details->__construct, CFdb7_Form_Details->form_details_page, referer: http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5
10.42.42.118 - - [11/Dec/2018:08:35:18 +0000] "GET /wp-admin/admin.php?page=cfdb7-list.php&fid=5&ufid=21 HTTP/1.1" 200 6559 "http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36"

    The shortcode who generate error (wp-content/plugins/contact-form-cfdb7/inc/admin-form-details.php:83):

    
$form_data['cfdb7_status'] = 'read';
$form_data = serialize( $form_data );
$form_id = $results[0]->form_id;

$cfdb->query( "UPDATE $table_name SET form_value =
    '$form_data' WHERE form_id = $form_id"
);

    Thanks

    Plugin Author Arshid

    (@arshidkv12)

    7 years, 3 months ago

    Change field name “name” to some other name.

    Thread Starter dbadoinot

    (@dbadoinot)

    7 years, 3 months ago

    i changed the contact form 7 to :

    
[text* mydata1 placeholder "your-name"]
[textarea* mydata2 placeholder "your-message"]
[submit "Send"]

    but the problem still present:

    
[Tue Dec 11 11:05:47.995663 2018] [php7:notice] [pid 218] [client 10.42.42.118:57350] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'try";s:7:"mydata2";s:15:"body of message";}' WHERE form_id = 22' at line 2 for query UPDATE wp_db7_forms SET form_value =\n                            'a:3:{s:12:"cfdb7_status";s:4:"read";s:7:"mydata1";s:13:"another ' try";s:7:"mydata2";s:15:"body of message";}' WHERE form_id = 22 made by do_action('toplevel_page_cfdb7-list'), WP_Hook->do_action, WP_Hook->apply_filters, Cfdb7_Wp_Main_Page->list_table_page, CFdb7_Form_Details->__construct, CFdb7_Form_Details->form_details_page, referer: http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5
10.42.42.118 - - [11/Dec/2018:11:05:47 +0000] "GET /wp-admin/admin.php?page=cfdb7-list.php&fid=5&ufid=22 HTTP/1.1" 200 6573 "http://10.42.42.41:7080/wp-admin/admin.php?page=cfdb7-list.php&fid=5" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36"

    i send in input:
    “another ‘ try” to data1 field
    “body of message” to data2 field

    we can see that on the group words another ‘ try the char is not escape.

    • This reply was modified 7 years, 3 months ago by dbadoinot.
    • This reply was modified 7 years, 3 months ago by dbadoinot.
    Plugin Author Arshid

    (@arshidkv12)

    7 years, 3 months ago

    I will check it soon.

    Plugin Author Arshid

    (@arshidkv12)

    7 years, 3 months ago

    Take CSV backup. Then delete submissions and update plugin and check it.

    Thread Starter dbadoinot

    (@dbadoinot)

    7 years, 3 months ago

    I would like prefer to keep the initial char ‘ or ” instand of transform to html char, but it works.

    Thanks you for your reactivity.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Sql error onsave’ is closed to new replies.