Gravity Support Forums Topic: Using mysqli_real_escape_string with gform_after

Gravity Support Forums Topic: Using mysqli_real_escape_string with gform_after_submission and a mySQL database https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database Gravity Support Forums Topic: Using mysqli_real_escape_string with gform_after_submission and a mySQL database en-US Sat, 04 Apr 2026 22:01:19 +0000 http://bbpress.org/?v=1.0.1 <![CDATA[Search]]> q https://legacy.forums.gravityhelp.com/search.php Richard Vav on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-360257 Wed, 03 Jul 2013 15:22:25 +0000 Richard Vav 360257@https://legacy.forums.gravityhelp.com/ Andrew, thanks for sharing. andrew carbn on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-360247 Wed, 03 Jul 2013 15:20:31 +0000 andrew carbn 360247@https://legacy.forums.gravityhelp.com/ For anybody who is interested, here is the final code which is tested and working: ORIGINAL EXAMPLE CODE: ************************************************************************************* add_action("gform_after_submission_1", "push_fields", 10, 2); function push_fields($entry, $form){ $uploaderName = $entry["1"]; $venueName = $entry["2"]; $uploaderEmail = $entry["3"]; $con=mysqli_connect("$DB_HOST","$DB_USER","$DB_PASSWORD","$DB_NAME"); mysqli_query($con,"INSERT INTO $TABLE_NAME (uploaderName, venueName, uploaderEmail) VALUES ('$uploaderName', '$venueName', '$uploaderEmail')"); } ************************************************************************************* NEW CODE USING mysqli_real_escape_string via $wpdb: !!!!! Note re-ordering of SQL login details in line 9 below !!!!!! !!!!! DO NOT add or remove any double or single quotes !!!!!! ************************************************************************************* add_action("gform_after_submission_1", "push_fields", 10, 2); function push_fields($entry, $form){ $uploaderName = $entry["1"]; $venueName = $entry["2"]; $uploaderEmail = $entry["3"]; global $wpdb; $con = new wpdb ("$DB_USER", "$DB_PASSWORD", "$DB_NAME", "$DB_HOST"); $con->show_errors(); $con->INSERT('$TABLE_NAME', array( 'uploaderName'=>$uploaderName, 'venueName'=>$venueName, 'uploaderEmail'=>$uploaderEmail, ), array( '%s','%s','%s' ) ); } ************************************************************************************* Alex Cancado on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-344251 Tue, 25 Jun 2013 12:15:45 +0000 Alex Cancado 344251@https://legacy.forums.gravityhelp.com/ It is because that method will do the escaping for you. As long as you are using the methods from $wpdb, you don't have to worry about escaping. That is the beauty of it. andrew carbn on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-344190 Tue, 25 Jun 2013 11:22:52 +0000 andrew carbn 344190@https://legacy.forums.gravityhelp.com/ Thanks. I've had a look at that page and something is not making sense to me. Under the section "INSERT rows" is says "Both $data columns and $data values should be "raw" (neither should be SQL escaped)." Is this because I am "inserting" data, and the danger is only when I am "querying" the data? Alex Cancado on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-337229 Fri, 21 Jun 2013 18:14:56 +0000 Alex Cancado 337229@https://legacy.forums.gravityhelp.com/ Hello Andrew, What you want to do is look at using the global $wpdb variable instead. It will handle escaping for you. Following is the doc page for it. <a href="http://codex.wordpress.org/Class_Reference/wpdb" rel="nofollow">http://codex.wordpress.org/Class_Reference/wpdb</a> andrew carbn on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-336848 Fri, 21 Jun 2013 13:10:52 +0000 andrew carbn 336848@https://legacy.forums.gravityhelp.com/ Excellent. Thanks. David Peralty on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-334777 Thu, 20 Jun 2013 15:33:32 +0000 David Peralty 334777@https://legacy.forums.gravityhelp.com/ I'm going to send this thread to our developers to look at. andrew carbn on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-334577 Thu, 20 Jun 2013 12:56:57 +0000 andrew carbn 334577@https://legacy.forums.gravityhelp.com/ Hello, I'm still waiting for a reply. andrew carbn on "Using mysqli_real_escape_string with gform_after_submission and a mySQL database" https://legacy.forums.gravityhelp.com/topic/using-mysqli_real_escape_string-with-gform_after_submission-and-a-mysql-database#post-323487 Fri, 14 Jun 2013 14:51:48 +0000 andrew carbn 323487@https://legacy.forums.gravityhelp.com/ Hi, I think I'm correct in saying it is best practice to use mysqli_real_escape_string when pushing any user-generated text into a mySQL database. I'm using the below code (which is tested and working) to push the submitted data from a gravity form into mySQL. <?php add_action("gform_after_submission_9", "push_fields", 10, 2); function push_fields($entry, $form){ $uploaderName = $entry["1"]; $organiserName = $entry["2"]; $organiserEmail = $entry["3"]; $organiserNumber = $entry["4"]; $venueNumber = $entry["5"]; $con=mysqli_connect("hostname","username","password","dbname"); mysqli_query($con,"INSERT INTO table (uploaderName, organiserName, organiserEmail, organiserNumber, venueNumber) VALUES ('$uploaderName', '$organiserName', '$organiserEmail', '$organiserNumber', '$venueNumber')"); } ?> So how do I use real_escape_string? I tried these two ideas but neither worked: $uploaderName = mysqli_real_escape_string($entry["1"]); and $uploaderNameX = $entry["1"]; $uploaderName = mysqli_real_escape_string($uploaderNameX); And by "neither worked" I mean the first one crashed my entire site, and the second one just left that column blank in the mySQL table but entered all other info correctly.