Home Downloads FAQs Forums Pricing Blog Contact Demo Login
Latest: ChronoForms v8.0.51 update
Home
/
Forums
/
CF8 - DB Save Action

CF8 - DB Save Action

How to safely use form data in a ChronoForms DB Save Action WHERE clause.

Overview

The issue arises from incorrectly quoting form data parameters, which can lead to SQL injection vulnerabilities.
Use the `quote` function within the parameter placeholder to automatically and safely quote the value for the SQL statement.

Answered
ChronoForms v8
rb rbock 27 Sep, 2023
Which form is correct for where statement?

field={data:param-name}
field='{data:param-name}'
field="{data:param-name}"

need ; ?
Max_admin Max_admin 27 Sep, 2023
Answer
first, and use this: 
field={data.quote:param-name}


The "quote" function will quote the parameter value safely, otherwise you may have problems with SQL injection
Max, ChronoForms developer
ChronoMyAdmin: Database administration within Joomla, no phpMyAdmin needed.
ChronoMails simplifies Joomla email: newsletters, logging, and custom templates.
This topic is locked and no more replies can be posted.

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Terms Of Use Privacy Policy Business Partners

We accept paypal logo  stripe logo

© 2006 - 2026 ChronoEngine.com