Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/advanced-cf7-db/admin/class-advanced-cf7-db-admin.php
+++ b/advanced-cf7-db/admin/class-advanced-cf7-db-admin.php
@@ -339,12 +339,12 @@
//Check form id is define in current page or not if defirn then current form ID add with existing URL
if(isset($_REQUEST['cf7_id']) && !empty($_REQUEST['cf7_id'])){
if(wp_verify_nonce( $nonce, 'vsz-cf7-search-nonce')){
- $fid = (int)sanitize_text_field($_REQUEST['cf7_id']);
+ $fid = (int)sanitize_text_field(wp_unslash($_REQUEST['cf7_id']));
$url .= '&cf7_id='.$fid;
}
}
- $searchVal = isset($_POST['search_cf7_value']) && !empty($_POST['search_cf7_value']) ? htmlspecialchars(stripslashes(sanitize_text_field($_POST['search_cf7_value']))) : '';
+ $searchVal = isset($_POST['search_cf7_value']) && !empty($_POST['search_cf7_value']) ? htmlspecialchars(sanitize_text_field(wp_unslash($_POST['search_cf7_value']))) : '';
?><input value="<?php esc_html_e($searchVal,VSZ_CF7_TEXT_DOMAIN); ?>" type="text" class="" id="cf7d-search-q" name="search_cf7_value" placeholder="<?php esc_html_e('Type something...',VSZ_CF7_TEXT_DOMAIN);?>" />
<button data-url="<?php echo esc_url($url); ?>" class="button" type="button" id="cf7d-search-btn" title="<?php esc_html_e('Search',VSZ_CF7_TEXT_DOMAIN); ?>" ><?php esc_html_e('Search',VSZ_CF7_TEXT_DOMAIN);?></button>
@@ -742,9 +742,9 @@
return;
}
//get form Id
- $fid = (int)sanitize_text_field($_POST['fid']);
+ $fid = (int)sanitize_text_field(wp_unslash($_POST['fid']));
//Get nonce value
- $nonce = sanitize_text_field($_POST['vsz_cf7_setting_nonce']);
+ $nonce = isset($_POST['vsz_cf7_setting_nonce']) ? sanitize_text_field(wp_unslash($_POST['vsz_cf7_setting_nonce'])) : '';
//Verify nonce value
if(!wp_verify_nonce( $nonce, 'vsz-cf7-setting-nonce-'.$fid)){
// This nonce is not valid.
@@ -754,8 +754,9 @@
$arr_fields = array();
//Get all define fields information
if(isset($_POST['field']) && !empty($_POST['field'])){
+ $post_field = map_deep(wp_unslash($_POST['field']), 'sanitize_text_field');
//Fetch all fields name here
- foreach($_POST['field'] as $key => $arrVal){
+ foreach($post_field as $key => $arrVal){
//sanitize new label name of field
$arr_fields[$key]['label'] = sanitize_text_field($arrVal['label']);
@@ -764,7 +765,7 @@
$arr_fields[$key]['show'] = intval($arrVal['show']);
}
}
- $show_record = (int)(sanitize_text_field($_POST['cf7_show_record']));
+ $show_record = isset($_POST['cf7_show_record']) ? (int)(sanitize_text_field(wp_unslash($_POST['cf7_show_record']))) : 0;
//Save Settings POPUP information in option table
add_option('vsz_cf7_settings_field_' . $fid, $arr_fields, '', 'no');
update_option('vsz_cf7_settings_field_' . $fid, $arr_fields);
@@ -789,10 +790,10 @@
}
//Get form and entry id
- $fid = intval(sanitize_text_field($_POST['fid']));
- $rid = intval(sanitize_text_field($_POST['rid']));
+ $fid = intval(sanitize_text_field(wp_unslash($_POST['fid'])));
+ $rid = intval(sanitize_text_field(wp_unslash($_POST['rid'])));
//Verify nonce value
- $nonce = sanitize_text_field($_POST['vsz_cf7_edit_nonce']);
+ $nonce = isset($_POST['vsz_cf7_edit_nonce']) ? sanitize_text_field(wp_unslash($_POST['vsz_cf7_edit_nonce'])) : '';
if(!wp_verify_nonce( $nonce, 'vsz-cf7-edit-nonce-'.$fid)){
// This nonce is not valid.
return;
@@ -812,7 +813,7 @@
//Get field type information here
if(isset($_POST['arr_field_type']) && !empty($_POST['arr_field_type'])){
//Decode Json format string here
- $arr_field_type = json_decode(wp_unslash(sanitize_textarea_field($_POST['arr_field_type'])),true);
+ $arr_field_type = json_decode(sanitize_textarea_field(wp_unslash($_POST['arr_field_type'])),true);
}
//Define option field type array
@@ -823,9 +824,10 @@
$arr_exist_keys = get_entry_related_fields_info($fid,$rid);
if(isset($_POST['field']) && !empty($_POST['field'])){
+ $post_field = map_deep(wp_unslash($_POST['field']), 'sanitize_textarea_field');
//Fetch all fields information here
- foreach ($_POST['field'] as $key => $value){
- $value = sanitize_textarea_field(htmlspecialchars($value));
+ foreach ($post_field as $key => $value){
+ $value = htmlspecialchars($value);
$key = sanitize_text_field($key);
//Escape loop if key have not editable field
@@ -881,16 +883,19 @@
if($current_action == 'delete'){
if(isset($_POST['del_id']) && !empty($_POST['del_id'])){
//Get nonce value
- $nonce = sanitize_text_field($_POST['_wpnonce']);
+ if(!isset($_POST['_wpnonce']) || empty($_POST['_wpnonce'])){
+ wp_die(__('Security check failed: Missing nonce.'));
+ }
+ $nonce = sanitize_text_field(wp_unslash($_POST['_wpnonce']));
//Verify nonce value
- // if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
- // die('Security check');
- // }
+ if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
+ wp_die(__('Security check failed: Invalid nonce.'));
+ }
//Get Delete row ID information
- $del_id = array_map('sanitize_text_field',$_POST['del_id']);
+ $del_id = array_map('sanitize_text_field', wp_unslash($_POST['del_id']));
$del_id = implode(',', array_map('intval',$del_id));
//Get Form ID
- $fid = intval(sanitize_text_field($_POST['fid']));
+ $fid = intval(sanitize_text_field(wp_unslash($_POST['fid'])));
//added in 1.8.3
// Checking for the capability
@@ -948,14 +953,30 @@
//Setup export functionality here
if(isset($_POST['btn_export'])){
+ //Verify nonce
+ if(!isset($_POST['_wpnonce']) || empty($_POST['_wpnonce'])){
+ wp_die(__('Security check failed: Missing nonce.'));
+ }
+ $nonce = isset($_POST['_wpnonce']) ? sanitize_text_field(wp_unslash($_POST['_wpnonce'])) : '';
+ if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
+ wp_die(__('Security check failed: Invalid nonce.'));
+ }
+
//Get form ID
- $fid = (int)sanitize_text_field($_POST['fid']);
+ $fid = (int)sanitize_text_field(wp_unslash($_POST['fid']));
+
+ //Check capability - user must have view or edit permission for this form
+ $view_cap = 'cf7_db_form_view_'.$fid;
+ $edit_cap = 'cf7_db_form_edit_'.$fid;
+ if(!cf7_check_capability($view_cap) && !cf7_check_capability($edit_cap)){
+ wp_die(__('You do not have permission to export this data.'));
+ }
//Get export id related information
- $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('sanitize_text_field',$_POST['del_id'])) : '');
- $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('intval',$_POST['del_id'])) : '');
+ $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('sanitize_text_field', wp_unslash($_POST['del_id']))) : '');
+ $ids_export = ((isset($_POST['del_id']) && !empty($_POST['del_id'])) ? implode(',', array_map('intval', wp_unslash($_POST['del_id']))) : '');
///Get export type related information
- $type = sanitize_text_field($_POST['vsz-cf7-export']);
+ $type = isset($_POST['vsz-cf7-export']) ? sanitize_text_field(wp_unslash($_POST['vsz-cf7-export'])) : '';
//Check type name and execute type related CASE
switch ($type) {
case 'csv':
@@ -985,15 +1006,16 @@
public function vsz_cf7_edit_form_ajax(){
global $wpdb;
- if(!wp_verify_nonce( $_POST['getListNonce'], 'vsz-cf7-form-list-nonce' )){
+ $getListNonce = isset($_POST['getListNonce']) ? sanitize_text_field(wp_unslash($_POST['getListNonce'])) : '';
+ if(!wp_verify_nonce( $getListNonce, 'vsz-cf7-form-list-nonce' )){
echo json_encode(esc_html('@@You do not have access to edit the data.'));
exit;
}
//Check entry id set or not in current request
- $rid = ((isset($_POST['rid']) && !empty($_POST['rid'])) ? intval(sanitize_text_field($_POST['rid'])) : '');
- $fid = ((isset($_POST['fid']) && !empty($_POST['fid'])) ? intval(sanitize_text_field($_POST['fid'])) : '');
+ $rid = ((isset($_POST['rid']) && !empty($_POST['rid'])) ? intval(sanitize_text_field(wp_unslash($_POST['rid']))) : '');
+ $fid = ((isset($_POST['fid']) && !empty($_POST['fid'])) ? intval(sanitize_text_field(wp_unslash($_POST['fid']))) : '');
//added in 1.8.3
- $getEntryNonce = ((isset($_POST['getEntryNonce']) && !empty($_POST['getEntryNonce'])) ? sanitize_text_field($_POST['getEntryNonce']) : '');
+ $getEntryNonce = ((isset($_POST['getEntryNonce']) && !empty($_POST['getEntryNonce'])) ? sanitize_text_field(wp_unslash($_POST['getEntryNonce'])) : '');
if( empty( $rid ) || empty( $fid ) ){
echo json_encode(esc_html('@@You do not have access to edit the data.'));
@@ -1219,10 +1241,10 @@
exit;
}
- $fid = (int)sanitize_text_field($_POST["fid"]);
+ $fid = (int)sanitize_text_field(wp_unslash($_POST["fid"]));
//Verify nonce value
- $nonce = sanitize_text_field($_POST['vsz_cf7_edit_nonce']);
+ $nonce = isset($_POST['vsz_cf7_edit_nonce']) ? sanitize_text_field(wp_unslash($_POST['vsz_cf7_edit_nonce'])) : '';
if(!wp_verify_nonce( $nonce, 'vsz-cf7-edit-nonce-'.$fid)){
/* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
print esc_html('error@~@');
@@ -1266,7 +1288,14 @@
/* phpcs:enable */
exit;
}
- $fileInfo = wp_check_filetype(basename($_FILES['image']['name']));
+ if(!isset($_FILES['image']['name']) || empty($_FILES['image']['name'])){
+ /* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
+ print esc_html('error@~@');
+ wp_die(__('No file uploaded.'));
+ /* phpcs:enable */
+ exit;
+ }
+ $fileInfo = wp_check_filetype(basename(sanitize_file_name(wp_unslash($_FILES['image']['name']))));
if(empty($fileInfo['ext'])){
/* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
print esc_html('error@~@');
@@ -1276,11 +1305,8 @@
}
global $wpdb;
- $rid = (int)sanitize_text_field($_POST["rid"]);
- $field = sanitize_text_field($_POST["field"]);
-
- $upload_dir = wp_upload_dir();
- $acf7db_upload_folder = VSZ_CF7_UPLOAD_FOLDER;
+ $rid = (int)sanitize_text_field(wp_unslash($_POST["rid"]));
+ $field = sanitize_text_field(wp_unslash($_POST["field"]));
$temp_dir_upload = $upload_dir['basedir'].'/'.$acf7db_upload_folder;
wp_mkdir_p($temp_dir_upload);
@@ -1288,14 +1314,21 @@
//verify file size here
$maxsize = 8000000;
- if(($_FILES['image']['size'] >= $maxsize) || empty($_FILES['image']['size'])) {
+ if(!isset($_FILES['image']['size']) || ($_FILES['image']['size'] >= $maxsize) || empty($_FILES['image']['size'])) {
/* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
print esc_html('error@~@');
wp_die(__('You can upload maximum 7.60 MB file.'));
/* phpcs:enable */
exit;
}
- $filename = sanitize_text_field($_FILES["image"]["name"]);
+ if(!isset($_FILES["image"]["name"])){
+ /* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
+ print esc_html('error@~@');
+ wp_die(__('No file uploaded.'));
+ /* phpcs:enable */
+ exit;
+ }
+ $filename = sanitize_file_name(wp_unslash($_FILES["image"]["name"]));
$file_basename = substr($filename, 0, strripos($filename, '.')); // get file name
$file_ext = substr($filename, strripos($filename, '.')); // get file extention
@@ -1312,7 +1345,14 @@
//unique file name
$newfilename = wp_unique_filename($temp_dir_upload, $file_basename.$file_ext);
- $upload = wp_upload_bits($newfilename, null, file_get_contents($_FILES["image"]["tmp_name"])); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged, WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents, WordPress.WP.AlternativeFunctions.file_system_read_file_get_contents
+ if(!isset($_FILES["image"]["tmp_name"]) || empty($_FILES["image"]["tmp_name"])){
+ /* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
+ print esc_html('error@~@');
+ wp_die(__('File upload failed.'));
+ /* phpcs:enable */
+ exit;
+ }
+ $upload = wp_upload_bits($newfilename, null, file_get_contents(sanitize_text_field(wp_unslash($_FILES["image"]["tmp_name"])))); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged, WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents, WordPress.WP.AlternativeFunctions.file_system_read_file_get_contents
require_once(ABSPATH . '/wp-admin/includes/file.php');
WP_Filesystem();
@@ -1367,11 +1407,11 @@
}
//get current form id here
- $fid = (int)sanitize_text_field($_POST["fid"]);
+ $fid = (int)sanitize_text_field(wp_unslash($_POST["fid"]));
//Verify nonce value
////add in 1.8.3
- $nonce = sanitize_text_field($_POST['vsz_cf7_edit_nonce']);
+ $nonce = isset($_POST['vsz_cf7_edit_nonce']) ? sanitize_text_field(wp_unslash($_POST['vsz_cf7_edit_nonce'])) : '';
if(!wp_verify_nonce( $nonce, 'vsz-cf7-edit-nonce-'.$fid)){
/* phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped */
print esc_html('error@~@');
@@ -1415,9 +1455,9 @@
}
- $rid = (int)sanitize_text_field($_POST["rid"]);
- $field = sanitize_text_field($_POST["field"]);
- $val = sanitize_text_field($_POST["val"]);
+ $rid = (int)sanitize_text_field(wp_unslash($_POST["rid"]));
+ $field = sanitize_text_field(wp_unslash($_POST["field"]));
+ $val = sanitize_text_field(wp_unslash($_POST["val"]));
global $wpdb;
$res = $wpdb->update($wpdb->prefix.'cf7_vdata_entry', array("value" => ""), array("data_id" => $rid, "cf7_id" => $fid, "name" => $field));
@@ -1458,7 +1498,7 @@
}
//Get nonce value
- $nonce = sanitize_text_field($_POST['_wpnonce']);
+ $nonce = sanitize_text_field(wp_unslash($_POST['_wpnonce']));
//Verify nonce value
if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
return esc_html('You do not have the permission to export the data');
@@ -1469,6 +1509,13 @@
if( empty( $fid ) ){
return esc_html('You do not have the permission to export the data');
}
+
+ //Check capability - user must have view or edit permission for this form
+ $view_cap = 'cf7_db_form_view_'.$fid;
+ $edit_cap = 'cf7_db_form_edit_'.$fid;
+ if(!cf7_check_capability($view_cap) && !cf7_check_capability($edit_cap)){
+ return esc_html('You do not have permission to export this data.');
+ }
$fields = vsz_cf7_get_db_fields($fid);
//Get form id related contact form object
@@ -1481,19 +1528,32 @@
if(!empty($data)){
//Setup export data
$data_sorted = wp_unslash(vsz_cf7_sortdata($data));
-
+
+ // DEBUG: detect and log any stray output buffered before CSV — this is the blank row source
+ $stray_output = '';
+ while ( ob_get_level() > 0 ) {
+ $stray_output .= ob_get_clean();
+ }
+ if ( ! empty( trim( $stray_output ) ) ) {
+ error_log( 'CF7 CSV stray buffer content (causing blank rows): ' . substr( $stray_output, 0, 1000 ) );
+ } else {
+ error_log( 'CF7 CSV buffer was clean (' . strlen( $stray_output ) . ' bytes whitespace-only)' );
+ }
+
//Generate CSV file
header('Content-Type: text/csv; charset=UTF-8');
header('Content-Disposition: attachment;filename="'.$form_title.'.csv";');
$fp = fopen('php://output', 'w'); // @codingStandardsIgnoreLine
fputs($fp, "xEFxBBxBF"); // @codingStandardsIgnoreLine
- fputcsv($fp, array_values(array_map('sanitize_text_field',$fields)));
+ fputcsv($fp, array_values(array_map('sanitize_text_field',$fields)));
+
foreach ($data_sorted as $k => $v){
$temp_value = array();
foreach ($fields as $k2 => $v2){
- $temp_value[] = ((isset($v[$k2])) ? html_entity_decode($v[$k2]) : '');
-
+ // $temp_value[] = ((isset($v[$k2])) ? html_entity_decode($v[$k2]) : '');
+ $temp_value[] = ((isset($v[$k2])) ? html_entity_decode($v[$k2], ENT_QUOTES | ENT_HTML5, 'UTF-8') : '');
}
+
fputcsv($fp, $temp_value);
}
@@ -1508,11 +1568,28 @@
global $wpdb;
include_once(ABSPATH . 'wp-content/plugins/advanced-cf7-db/includes/libraries/excel/xls/vendor/autoload.php');
+ include_once(ABSPATH . 'wp-content/plugins/advanced-cf7-db/includes/libraries/excel/xlsx/PHP_XLSXWriter-master/xlsxwriter.class.php');
+
+ //Verify nonce
+ if(!isset($_POST['_wpnonce']) || empty($_POST['_wpnonce'])){
+ return 'You do not have the permission to export the data';
+ }
+ $nonce = sanitize_text_field(wp_unslash($_POST['_wpnonce']));
+ if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
+ return 'You do not have the permission to export the data';
+ }
$fid = intval($fid);
if( empty( $fid ) ){
return 'You do not have the permission to export the data';
}
+
+ //Check capability - user must have view or edit permission for this form
+ $view_cap = 'cf7_db_form_view_'.$fid;
+ $edit_cap = 'cf7_db_form_edit_'.$fid;
+ if(!cf7_check_capability($view_cap) && !cf7_check_capability($edit_cap)){
+ return 'You do not have permission to export this data.';
+ }
$fields = vsz_cf7_get_db_fields($fid);
$fields1 = vsz_field_type_info($fid);
@@ -1520,13 +1597,13 @@
$obj_form = vsz_cf7_get_the_form_list($fid);
//get current form title
$form_title = esc_html($obj_form[0]->title());
- $timeStamp = date('Ymdhis');
+ $timeStamp = gmdate('Ymdhis');
$form_title = preg_replace('/s+/', '_', $form_title);
$docName = $form_title."-".$timeStamp;
//Get export data
$data = create_export_query($fid, $ids_export, 'data_id desc');
-
+
if(!empty($data)){
$data_sorted = wp_unslash(vsz_cf7_sortdata($data));
@@ -1534,40 +1611,87 @@
$arrHeader = array_values(array_map('sanitize_text_field',$fields));
if(VSZ_CF7_PHPSPREADSHEET_CHECK == true){
-
- $spreadsheet = new Spreadsheet();
- $sheet = $spreadsheet->getActiveSheet();
+
+ // DEBUG: detect and log stray buffered output before flushing
+ $stray = '';
+ while ( ob_get_level() > 0 ) {
+ $stray .= ob_get_clean();
+ }
+ if ( strlen( $stray ) > 0 ) {
+ $hex = implode( ' ', array_map( fn($b) => sprintf('%02X', ord($b)), str_split($stray) ) );
+ error_log( 'CF7 XLS — stray buffer (' . strlen($stray) . ' bytes) HEX=[' . $hex . ']' );
+ } else {
+ error_log( 'CF7 XLS — buffer was empty, no stray output' );
+ }
+
+ // Flush any stray buffered output (e.g. BOM from included files) to prevent blank rows
+ while ( ob_get_level() > 0 ) {
+ ob_end_clean();
+ }
+
+ // xls sheet
+ /* $spreadsheet = new Spreadsheet();
+ $sheet = $spreadsheet->getActiveSheet(); */
+
+ // xlsx sheet
+ $writer = new XLSXWriter();
+ $writer->writeSheetRow('Sheet1', $arrHeader);
//First we will set header in excel file
$col = 1;
$row = 1;
- foreach($arrHeader as $colName){
+ /* foreach($arrHeader as $colName){
$sheet->setCellValueByColumnAndRow($col, $row, $colName);
$col++;
- }
+ } */
$row = 2;
foreach ($data_sorted as $k => $v){
-
+ $data = [];
+
//Define column index here
$col=1;
//Get column order wise value here
foreach ($fields as $k2 => $v2){
-
- $colVal = (isset($v[$k2]) ? html_entity_decode($v[$k2]) : '');
- $sheet->setCellValueByColumnAndRow($col, $row, $colVal);
+
+ //$colVal = (isset($v[$k2]) ? html_entity_decode($v[$k2]) : '');
+ //$sheet->setCellValueByColumnAndRow($col, $row, $colVal);
+
+ $colVal = isset($v[$k2]) ? $v[$k2] : '';
+ // Normalize encoding to UTF-8
+ $colVal = html_entity_decode(trim(wp_unslash($colVal)), ENT_QUOTES | ENT_HTML5, 'UTF-8');
+ $colVal = mb_convert_encoding($colVal, 'UTF-8', 'UTF-8');
+
+ // xls
+ // $sheet->setCellValueByColumnAndRow($col, $row, $colVal);
+
+ // xlsx
+ $data[] = $colVal;
+
$col++;
}
//Consider new row for each entry here
$row++;
+
+ // xlsx
+ $writer->writeSheetRow('Sheet1', $data);
}
+
+ // xls file writer
+
+ /* $writer = PhpOfficePhpSpreadsheetIOFactory::createWriter($spreadsheet, "Xls");
- $writer = PhpOfficePhpSpreadsheetIOFactory::createWriter($spreadsheet, "Xls");
-
- header('Content-Type: application/vnd.ms-excel');
+ header('Content-Type: application/vnd.ms-excel; charset=UTF-8');
header('Content-Disposition: attachment; filename="'. urlencode($docName.'.xls').'"');
- $writer->save( 'php://output');
+ $writer->save( 'php://output'); */
+
+ // xlsx file writer
+ header('Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet');
+ header('Content-Disposition: attachment; filename="' . urlencode($docName . '.xlsx') . '"');
+ header('Cache-Control: max-age=0');
+ $writer->writeToStdOut();
+
exit;
}
}
@@ -1580,16 +1704,14 @@
global $wpdb;
$fid = intval($fid);
- if(!isset($_POST['_wpnonce']) || (isset($_POST['_wpnonce']) && empty($_POST['_wpnonce']))){
- if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {
- return esc_html('You do not have the permission to export the data');
- }
- }
-
+ //Note: Nonce and capability checks are now performed before calling this function
+ // phpcs:ignore
if(isset($_POST['start_date']) && isset($_POST['end_date']) && !empty($_POST['start_date']) && !empty($_POST['end_date'])){
- $s_date = date_create_from_format("d/m/Y",sanitize_text_field($_POST['start_date']));
- $e_date = date_create_from_format("d/m/Y",sanitize_text_field($_POST['end_date']));
+ // phpcs:ignore
+ $s_date = date_create_from_format("d/m/Y",sanitize_text_field(wp_unslash($_POST['start_date'])));
+ // phpcs:ignore
+ $e_date = date_create_from_format("d/m/Y",sanitize_text_field(wp_unslash($_POST['end_date'])));
}
else{
$s_date = false;
@@ -1606,17 +1728,19 @@
$table_name = sanitize_text_field(VSZ_CF7_DATA_ENTRY_TABLE_NAME);
//Create Export Query on the basis of Listing screen filter
- // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+ // phpcs:disable WordPress.Security.NonceVerification.Missing
//Check any search related filter active or not
if(isset($_POST['search_cf7_value']) && !empty($_POST['search_cf7_value']) && isset($_POST['start_date']) && isset($_POST['end_date']) && empty($_POST['start_date']) && empty($_POST['end_date'])){
- $search = sanitize_text_field($_POST['search_cf7_value']);
+ $search = sanitize_text_field(wp_unslash($_POST['search_cf7_value']));
if(!empty($search) && !empty($ids_export)){
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN(SELECT * FROM (SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND `value` LIKE %s AND FIND_IN_SET(data_id, %s) GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid, '%' . $wpdb->esc_like($search) . '%', $ids_export));
}else if(!empty($search) && empty($ids_export)){
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN(SELECT * FROM (SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND `value` LIKE %s GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}" , $fid, $fid, '%' . $wpdb->esc_like($search) . '%'));
}
}
@@ -1631,10 +1755,12 @@
if(!empty($ids_export)){
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND `name` = 'submit_time' AND value between %s and %s AND FIND_IN_SET(data_id , %s) GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid, $start_date, $end_date, $ids_export));
}else if(empty($ids_export)){
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND `name` = 'submit_time' AND value between %s and %s GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid, $start_date, $end_date));
}
@@ -1643,7 +1769,7 @@
//Check search and date wise filter active or not
else if(isset($_POST['search_cf7_value']) && !empty($_POST['search_cf7_value']) && isset($_POST['start_date']) && isset($_POST['end_date']) && !empty($_POST['start_date']) && !empty($_POST['end_date']) && $s_date !== false && $e_date !== false){
- $search = sanitize_text_field($_POST['search_cf7_value']);
+ $search = sanitize_text_field(wp_unslash($_POST['search_cf7_value']));
//Get start date information
$start_date = date_format($s_date,"Y-m-d");
@@ -1671,6 +1797,7 @@
$data_ids = rtrim($data_ids,',');
}
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND `value` LIKE %s AND FIND_IN_SET(data_id, %s) GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by}) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid, '%' . $wpdb->esc_like($search) . '%', $data_ids));
}
@@ -1679,16 +1806,18 @@
if(!empty($ids_export)){
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d AND FIND_IN_SET(data_id, %s) GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid, $ids_export));
}else{
+ // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
$query = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} ) temp_table) ORDER BY {$cf7d_entry_order_by}", $fid, $fid));
}
}
- // phpcs:enable
+ // phpcs:enable WordPress.Security.NonceVerification.Missing
//Execuste query
$data = $query;
--- a/advanced-cf7-db/admin/partials/contact_form_listing.php
+++ b/advanced-cf7-db/admin/partials/contact_form_listing.php
@@ -49,7 +49,7 @@
if(isset($_GET['cf7_id']) && !empty($_GET['cf7_id'])){
$edit = false;
$entry_actions = array();
- $fid = intval(sanitize_text_field($_GET['cf7_id']));
+ $fid = intval(sanitize_text_field(wp_unslash($_GET['cf7_id'])));
if (!cf7_check_capability('cf7_db_form_view'.$fid) && !cf7_check_capability('cf7_db_form_edit_'.$fid)){
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
wp_die( __('You do not have sufficient permissions to access this page.') );
@@ -68,7 +68,7 @@
//Get search related value
$search = '';
if(isset($_POST['search_cf7_value']) && !empty($_POST['search_cf7_value'])){
- $search = addslashes(addslashes(htmlspecialchars(sanitize_text_field($_POST['search_cf7_value']))));
+ $search = addslashes(addslashes(htmlspecialchars(sanitize_text_field(wp_unslash($_POST['search_cf7_value'])))));
}
//Get all form names which entry store in DB
@@ -164,15 +164,15 @@
//Add post per page filter here , Any user call this filter and customize post per page count
$items_per_page = (int)apply_filters('vsz_cf7_entry_per_page', (!empty($posts_per_page) ? $posts_per_page : 10));
//Get current page information from query
- $page = isset($_POST['cpage']) && !empty($_POST['cpage']) ? abs((int)sanitize_text_field($_POST['cpage'])) : 1;
+ $page = isset($_POST['cpage']) && !empty($_POST['cpage']) ? abs((int)sanitize_text_field(wp_unslash($_POST['cpage']))) : 1;
//Setup offset related value here
$offset = (int)( $page * $items_per_page ) - $items_per_page;
//Customize parameter wise listing screen query
//Check start and end date is valid or not
if(isset($_POST['start_date']) && isset($_POST['end_date']) && !empty($_POST['start_date']) && !empty($_POST['end_date'])){
- $s_date = date_create_from_format("d/m/Y",sanitize_text_field($_POST['start_date']));
- $e_date = date_create_from_format("d/m/Y",sanitize_text_field($_POST['end_date']));
+ $s_date = date_create_from_format("d/m/Y",sanitize_text_field(wp_unslash($_POST['start_date'])));
+ $e_date = date_create_from_format("d/m/Y",sanitize_text_field(wp_unslash($_POST['end_date'])));
}
else{
$s_date = false;
@@ -238,10 +238,10 @@
}
//Call when any filter not active on Listing screen
else{
- if(isset($_GET["orderby"]) && isset($_GET["order"]) && !empty($_GET["orderby"]) && !empty($_GET["order"]) && (strtolower($_GET["order"]) == 'asc' || strtolower($_GET["order"]) == 'desc')){
+ if(isset($_GET["orderby"]) && isset($_GET["order"]) && !empty($_GET["orderby"]) && !empty($_GET["order"]) && (strtolower(sanitize_text_field(wp_unslash($_GET["order"]))) == 'asc' || strtolower(sanitize_text_field(wp_unslash($_GET["order"]))) == 'desc')){
- $order = esc_sql(sanitize_text_field($_GET['order']));
- $orderby = esc_sql(sanitize_text_field($_GET['orderby']));
+ $order = esc_sql(sanitize_text_field(wp_unslash($_GET['order'])));
+ $orderby = esc_sql(sanitize_text_field(wp_unslash($_GET['orderby'])));
$qry = $wpdb->get_results($wpdb->prepare("SELECT `data_id` FROM {$wpdb->prefix}cf7_vdata_entry WHERE `cf7_id` = %d AND `name` = %s AND data_id IN( SELECT * FROM ( SELECT data_id FROM {$wpdb->prefix}cf7_vdata_entry WHERE 1 = 1 AND `cf7_id` = %d GROUP BY `data_id` ORDER BY {$cf7d_entry_order_by} LIMIT %d,%d ) temp_table) ORDER BY `value` {$order}, {$cf7d_entry_order_by}", $fid, $orderby, $fid, $offset, $items_per_page));
$idVals = $qry;
@@ -303,8 +303,8 @@
?><div class="span12">
<div class="date-filter from-to" style="display:block;">
<div class="from-to-date-search">
- <input type="text" name="start_date" id="start_date" placeholder="From" value="<?php print isset($_POST['start_date']) ? esc_attr(sanitize_text_field($_POST['start_date'])) : '';?>" class="input-cf-date">
- <input type="text" name="end_date" id="end_date" placeholder="To" value="<?php print isset($_POST['end_date']) ? esc_attr(sanitize_text_field($_POST['end_date'])) : '';?>" class="input-cf-date" >
+ <input type="text" name="start_date" id="start_date" placeholder="From" value="<?php print isset($_POST['start_date']) ? esc_attr(sanitize_text_field(wp_unslash($_POST['start_date']))) : '';?>" class="input-cf-date">
+ <input type="text" name="end_date" id="end_date" placeholder="To" value="<?php print isset($_POST['end_date']) ? esc_attr(sanitize_text_field(wp_unslash($_POST['end_date']))) : '';?>" class="input-cf-date" >
<input type="button" name="search_date" id="search_date" value="<?php esc_html_e('Search By Date',VSZ_CF7_TEXT_DOMAIN); ?>" title="<?php esc_html_e('Search By Date',VSZ_CF7_TEXT_DOMAIN); ?>" class="button action" >
</div>
<div class="type-something"><?php
--- a/advanced-cf7-db/admin/partials/import_cf7_csv.php
+++ b/advanced-cf7-db/admin/partials/import_cf7_csv.php
@@ -43,7 +43,7 @@
//Get selected form Id value
if(isset($_GET['import_cf7_id']) && !empty($_GET['import_cf7_id'])){
- $fid = intval(sanitize_text_field($_GET['import_cf7_id']));
+ $fid = intval(sanitize_text_field(wp_unslash($_GET['import_cf7_id'])));
if (!cf7_check_capability('cf7_db_form_view'.$fid) && !cf7_check_capability('cf7_db_form_edit_'.$fid)){
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
wp_die( __('You do not have sufficient permissions to access this page.') );
--- a/advanced-cf7-db/admin/partials/import_cf7_entry.class.php
+++ b/advanced-cf7-db/admin/partials/import_cf7_entry.class.php
@@ -1,306 +1,310 @@
-<?php
-// Exit if accessed directly
-if ( !defined( 'ABSPATH' ) ){
- die('Un-authorized access!');
-}
-
-// Necessary condition to prevent direct access
-if(!is_user_logged_in() || empty($_POST)){
- die('Try to do un-authorized access!');
-}
-
-//Define site global variables
-global $wpdb,$vsz_cf7_csv_upload_error;
-
-// Set Error object for get error during import process
-$vsz_cf7_csv_upload_error = new WP_Error;
-
-// Verify the current user can upload or delete files
-////add in 1.8.3
-if(!current_user_can('upload_files') ){
- // This nonce is not valid.
- $msg = 'You do not have permission to import file.';
- $vsz_cf7_csv_upload_error->add('fill_form_fields','You do not have permission to import file.');
-}
-
-
-//Verify nonce values
-$nonceEntryCheck = sanitize_text_field($_POST['wp_entry_nonce']);
-if(!wp_verify_nonce( $nonceEntryCheck, 'import-cf7-save-entry-nonce')){
- // This nonce is not valid.
- $msg = 'Something may be wrong. Please try again.';
- $vsz_cf7_csv_upload_error->add('fill_form_fields','Something may be wrong. Please try again..');
-}
-
-if(!isset($_POST['form_match_key']) || empty($_POST['form_match_key']) || !isset($_POST['vsz_cf7_field_type']) || empty($_POST['vsz_cf7_field_type'])){
- $vsz_cf7_csv_upload_error->add('fill_form_fields','Something may be wrong. Please try again.');
-}
-
-$error_data = array();
-$new_csv = array();
-$error_csv = array();
-$header = '';
-
-$fid = '';
-//Get selected form Id value
-if(isset($_POST['import_cf7_id']) && !empty($_POST['import_cf7_id'])){
- $fid = intval(sanitize_text_field($_POST['import_cf7_id']));
-}
-else{
- $vsz_cf7_csv_upload_error->add('fill_form_id','First select any form then import sheet.');
-}
-
-$sheet_date_format = '';
-//Get selected form Id value
-if(isset($_POST['sheet_date_format']) && !empty($_POST['sheet_date_format'])){
- $sheet_date_format = sanitize_text_field($_POST['sheet_date_format']);
-}
-
-// Start Importing sheet over here
-if(isset($_POST['submit']) && isset($_FILES['importFormList']) && !empty($_FILES['importFormList']['name']) && empty( $vsz_cf7_csv_upload_error->errors )){
-
- //////////////////////////////////// SAVE FILE ////////////////////////////////////////
-
- $filename = sanitize_text_field($_FILES["importFormList"]["name"]);
- $file_basename = substr($filename, 0, strripos($filename, '.')); // get file name
- $file_ext = substr($filename, strripos($filename, '.')); // get file extention
-
- //Define accepted file format here
- $allowed_file_types = array('.csv');
- //check file is valid type or not
- if(in_array($file_ext,$allowed_file_types)){
- //upload new file in '/csv/' directory
- $newfilename = "import-cf7-form-list-". date('Ymdhis') . $file_ext;
-
- // 2.0.4 update start
- $upload = wp_upload_bits($newfilename, null, file_get_contents($_FILES["importFormList"]["tmp_name"])); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged, WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents, WordPress.WP.AlternativeFunctions.file_system_read_file_get_contents
-
- require_once(ABSPATH . '/wp-admin/includes/file.php');
- WP_Filesystem();
- global $wp_filesystem;
-
- //if(move_uploaded_file($_FILES["importFormList"]["tmp_name"], dirname(dirname(__FILE__))."/csv/".$newfilename)){
- if($wp_filesystem->move($upload['file'], dirname(dirname(__FILE__))."/csv/".$newfilename)) {
- // 2.0.4 update end
-
- //Get moved file path
- $csv_file = dirname(dirname(__FILE__))."/csv/".$newfilename;
- //Check file is exist or not and open in read mode
-
- if (($handle = fopen($csv_file, "r")) !== FALSE){ // @codingStandardsIgnoreLine.
-
- //Get Header details from CSV sheet
- $arrHeader = fgetcsv($handle);
- $header = $arrHeader;
-
- $temp = array();
- if(!empty($arrHeader)){
- foreach ($arrHeader as $key => $value) {
- if($key == 0){
- $result = preg_replace('/[x00-x1Fx80-xFF]/', '', $value);
- $temp[] = $result;
- //For remove u+fffd like � character from first field
- }else{
- $temp[] = $value;
- }
- }
- }
- $arrHeader = $temp;
-
- array_push($header,"Status");
- //Define option field type array
- $arr_option_type = array('checkbox','radio','select');
- //Get form id related field key information from option table
- $arr_form_match_key = array_map( 'sanitize_text_field', $_POST['form_match_key']);
-
- //If form exist radio and check boxes value then get option values
- $obj_form = vsz_cf7_get_the_form_list(intval($fid));
- $arr_form_tag = $obj_form[0]->scan_form_tags();
- $option_value = array();
- //Get option value field names
- if(!empty($arr_form_tag)){
- foreach($arr_form_tag as $key => $arr_type){
-
- if(isset($arr_type['basetype']) && in_array($arr_type['basetype'],array('radio','checkbox'))){
- $option_value[$arr_type['name']] = $arr_type['values'];
- }
- }
- }
- //Get field type related information
- $vsz_cf7_field_type = array_map( 'sanitize_text_field', $_POST['vsz_cf7_field_type']);
- //check CSV sheet column count and match key count are same or not
- if(!empty($arrHeader) && !empty($arr_form_match_key)){
-
- $key_define_column = array_map('strtolower', array_map('trim',$arr_form_match_key));
- $arr_sheet_column = array_map('strtolower',array_map('trim',$arrHeader));
-
- $arr_field_name = array();
- //Get Sheet field name related contact form fields name and set in array
- foreach($key_define_column as $fKey => $mKey){
- if(!empty($arr_sheet_column) && in_array($mKey,$arr_sheet_column)){
-
- $field_key = (int)array_search($mKey,$arr_sheet_column);
- $arr_field_name[$fKey] = $field_key;
- }
- else{
-
- }
- }
-
- //Check any field key match or not
- if(!empty($arr_field_name)){
-
- $updateIndex = 0;
-
- //Get sheet related entries
- while($data = fgetcsv($handle)){
-
- //Counting the number of list in csv.
- $num = count($data);
- //Setup form key with related values
- $arr_insert_info = array();
- //Set all fields name related value in array
- foreach($key_define_column as $fKey => $mKey){
- //Check form key exist in field name array or not
- if(array_key_exists($fKey,$arr_field_name)){
- //Check field type is checkbox or radio
- if(!empty($vsz_cf7_field_type) && array_key_exists($fKey,$vsz_cf7_field_type) && in_array($vsz_cf7_field_type[$fKey],$arr_option_type)){
- //explode option field related value from sheet
- $arr_option = explode(',',$data[$arr_field_name[$fKey]]);
- $arr_insert_info[$fKey] = $arr_option;
- }
- else{
- $arr_insert_info[$fKey] = $data[$arr_field_name[$fKey]];
- }
- }
- else{
- $arr_insert_info[$fKey] = '';
- }
- }
- //Set submit time values if submit time value is empty
- if(array_key_exists('submit_time',$arr_insert_info)){
- //Check time value empty or not
- $arr_insert_info['submit_time'] = trim($arr_insert_info['submit_time']);
- $date_insert_flag = true;
- if(!empty($arr_insert_info['submit_time']) && !empty($sheet_date_format)){
- //Check date in valid format or not
- $sub_date = date_create_from_format($sheet_date_format,$arr_insert_info['submit_time']);
- if($sub_date !== false){
- $date_insert_flag = false;
- $arr_insert_info['submit_time'] = date_format($sub_date,"Y-m-d H:i:s");
- }
- }
-
- //set default date and time in submit_time parameter
- if($date_insert_flag){
- $arr_insert_info['submit_time'] = date_i18n('Y-m-d H:i:s', time());
- }
- }
-
- //Set submit if values if submit ip value is empty
- if(array_key_exists('submit_ip',$arr_insert_info) && empty($arr_insert_info['submit_ip'])){
- $arr_insert_info['submit_ip'] = '';
- }
-
- //Insert sheet related values in contact form Tables
- if(!empty($arr_insert_info)){
-
- //Get table name for data entry
- $data_table_name = sanitize_text_field(VSZ_CF7_DATA_TABLE_NAME);
- $data_entry_table_name = sanitize_text_field(VSZ_CF7_DATA_ENTRY_TABLE_NAME);
-
- //Insert current form submission time in database
- $time = date('Y-m-d H:i:s');
- $wpdb->query($wpdb->prepare("INSERT INTO {$wpdb->prefix}cf7_vdata(`created`) VALUES (%s)", $time));
- //Get last inserted id
- $data_id = (int)$wpdb->insert_id;
-
- //Insert form values in custom data entry table
- if(!empty($fid) && !empty($data_id)){
- //Get not inserted fields value list
- $cf7d_no_save_fields = vsz_cf7_no_save_fields();
- foreach ($arr_insert_info as $k => $v) {
- //Check not inserted fields name in array or not
- if(in_array($k, $cf7d_no_save_fields)) {
- continue;
- }
- else{
- //If value is check box and radio button value then creaye single string
- if(is_array($v)){
- $v = array_map('trim',$v);
- $v = implode("n", $v);
- }
- $k = htmlspecialchars($k);
- //It is prevent JS injection
- $v = sanitize_textarea_field($v);
- //$v = htmlspecialchars($v);
- $wpdb->query($wpdb->prepare("INSERT INTO {$wpdb->prefix}cf7_vdata_entry(`cf7_id`, `data_id`, `name`, `value`) VALUES (%d,%d,%s,%s)", $fid, $data_id, $k, $v));
- }
- }//Close foreach
- $new_csv[] = 'success';
- }//Close if for check not empty data and form id
- else{
- $errorMsg = 'This entry is not insert in Database.';
- $data[$num] = $errorMsg;
- $error_csv[$updateIndex] = array_combine($header, $data);
- $updateIndex ++;
- continue;
- }
- }//Close if for check insert array empty or not
- $updateIndex ++;
- }//Close while
-
- //Display total number of record added
- echo "<div class='updated notice notice-success is-dismissible'><p>New ".count($new_csv)." data submitted</p></div>";
- }//Close if for check field key exist or not in array
- else{
- $vsz_cf7_csv_upload_error->add('field_not_matched','Uploaded file column names and field setting CSV key names are not matched.');
- }//close else
- }//Close if for check CSV sheet column count and match key count are same or not
- else{
- $vsz_cf7_csv_upload_error->add('field_not_set','Please check uploaded file columns or field setting CSV match keys.');
- }
- }//Close if for CSV file handle
- else{
- $vsz_cf7_csv_upload_error->add('file_not_opend','Something may be wrong, Please try again later.');
- }
- }//Close if for move uploaded file
- else{
- $vsz_cf7_csv_upload_error->add('file_not_moved','Something may be wrong, Please try again later.');
- }
- }//Close if for check file extension
- else{
- $vsz_cf7_csv_upload_error->add('file_format','Please upload only CSV file format.');
- }
-}//Close if for submit
-
-//Display total number of errors
-if(count($error_csv) > 0){
- $vsz_cf7_csv_upload_error->add('total_error','Total ' . count($error_csv) . ' errors are reported.');
-}
-
-//Check for error status
-if(is_wp_error($vsz_cf7_csv_upload_error)){
- foreach($vsz_cf7_csv_upload_error->get_error_messages() as $error){
- echo "<div class='notice error is-dismissible'><p>".esc_html($error)."</p></div>";
- }
-}
-
-//generate error file if entry not insert in site
-if(count($error_csv) >= 1){
-
- $error_file_name = "upload_error".date("Y-m-d H:i:s:u").".csv";
- $myfile = fopen(dirname(dirname(__FILE__))."/csv/".$error_file_name, 'w') or // @codingStandardsIgnoreLine
- die("<div class='notice error is-dismissible'><p>Unable to open file!</p></div>");
-
- array_unshift($error_csv,$header);
-
- foreach ($error_csv as $fields){
- fputcsv($myfile, $fields,',');
- }
- fclose($myfile); // @codingStandardsIgnoreLine
-
- $fileNamePath = plugin_dir_url(dirname( __FILE__)).'csv/'.$error_file_name;
-
- echo '<div class="notice error is-dismissible"><p>You can download the error file from <a href="'.esc_url($fileNamePath).'" target="_blank">here</a> </p></div>';
-}
+<?php
+// Exit if accessed directly
+if ( !defined( 'ABSPATH' ) ){
+ die('Un-authorized access!');
+}
+
+// Necessary condition to prevent direct access
+if(!is_user_logged_in() || empty($_POST)){
+ die('Try to do un-authorized access!');
+}
+
+//Define site global variables
+global $wpdb,$vsz_cf7_csv_upload_error;
+
+// Set Error object for get error during import process
+$vsz_cf7_csv_upload_error = new WP_Error;
+
+// Verify the current user can upload or delete files
+////add in 1.8.3
+if(!current_user_can('upload_files') ){
+ // This nonce is not valid.
+ $msg = 'You do not have permission to import file.';
+ $vsz_cf7_csv_upload_error->add('fill_form_fields','You do not have permission to import file.');
+}
+
+
+//Verify nonce values
+$nonceEntryCheck = isset($_POST['wp_entry_nonce']) ? sanitize_text_field(wp_unslash($_POST['wp_entry_nonce'])) : '';
+if(!wp_verify_nonce( $nonceEntryCheck, 'import-cf7-save-entry-nonce')){
+ // This nonce is not valid.
+ $msg = 'Something may be wrong. Please try again.';
+ $vsz_cf7_csv_upload_error->add('fill_form_fields','Something may be wrong. Please try again..');
+}
+
+if(!isset($_POST['form_match_key']) || empty($_POST['form_match_key']) || !isset($_POST['vsz_cf7_field_type']) || empty($_POST['vsz_cf7_field_type'])){
+ $vsz_cf7_csv_upload_error->add('fill_form_fields','Something may be wrong. Please try again.');
+}
+
+$error_data = array();
+$new_csv = array();
+$error_csv = array();
+$header = '';
+
+$fid = '';
+//Get selected form Id value
+if(isset($_POST['import_cf7_id']) && !empty($_POST['import_cf7_id'])){
+ $fid = intval(sanitize_text_field(wp_unslash($_POST['import_cf7_id'])));
+}
+else{
+ $vsz_cf7_csv_upload_error->add('fill_form_id','First select any form then import sheet.');
+}
+
+$sheet_date_format = '';
+//Get selected form Id value
+if(isset($_POST['sheet_date_format']) && !empty($_POST['sheet_date_format'])){
+ $sheet_date_format = sanitize_text_field(wp_unslash($_POST['sheet_date_format']));
+}
+
+// Start Importing sheet over here
+if(isset($_POST['submit']) && isset($_FILES['importFormList']) && !empty($_FILES['importFormList']['name']) && empty( $vsz_cf7_csv_upload_error->errors )){
+
+ //////////////////////////////////// SAVE FILE ////////////////////////////////////////
+
+ $filename = sanitize_text_field($_FILES["importFormList"]["name"]);
+ $file_basename = substr($filename, 0, strripos($filename, '.')); // get file name
+ $file_ext = substr($filename, strripos($filename, '.')); // get file extention
+
+ //Define accepted file format here
+ $allowed_file_types = array('.csv');
+ //check file is valid type or not
+ if(in_array($file_ext,$allowed_file_types)){
+ //upload new file in '/csv/' directory
+ $newfilename = "import-cf7-form-list-". gmdate('Ymdhis') . $file_ext;
+
+ // 2.0.4 update start
+ if(!isset($_FILES["importFormList"]["tmp_name"]) || empty($_FILES["importFormList"]["tmp_name"])){
+ $vsz_cf7_csv_upload_error->add('file_upload','File upload failed.');
+ } else {
+ $upload = wp_upload_bits($newfilename, null, file_get_contents(sanitize_text_field(wp_unslash($_FILES["importFormList"]["tmp_name"])))); // phpcs:ignore Generic.PHP.NoSilencedErrors.Discouraged, WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents, WordPress.WP.AlternativeFunctions.file_system_read_file_get_contents
+ }
+
+ require_once(ABSPATH . '/wp-admin/includes/file.php');
+ WP_Filesystem();
+ global $wp_filesystem;
+
+ //if(move_uploaded_file($_FILES["importFormList"]["tmp_name"], dirname(dirname(__FILE__))."/csv/".$newfilename)){
+ if($wp_filesystem->move($upload['file'], dirname(dirname(__FILE__))."/csv/".$newfilename)) {
+ // 2.0.4 update end
+
+ //Get moved file path
+ $csv_file = dirname(dirname(__FILE__))."/csv/".$newfilename;
+ //Check file is exist or not and open in read mode
+
+ if (($handle = fopen($csv_file, "r")) !== FALSE){ // @codingStandardsIgnoreLine.
+
+ //Get Header details from CSV sheet
+ $arrHeader = fgetcsv($handle);
+ $header = $arrHeader;
+
+ $temp = array();
+ if(!empty($arrHeader)){
+ foreach ($arrHeader as $key => $value) {
+ if($key == 0){
+ $result = preg_replace('/[x00-x1Fx80-xFF]/', '', $value);
+ $temp[] = $result;
+ //For remove u+fffd like � character from first field
+ }else{
+ $temp[] = $value;
+ }
+ }
+ }
+ $arrHeader = $temp;
+
+ array_push($header,"Status");
+ //Define option field type array
+ $arr_option_type = array('checkbox','radio','select');
+ //Get form id related field key information from option table
+ $arr_form_match_key = array_map( 'sanitize_text_field', wp_unslash($_POST['form_match_key']));
+
+ //If form exist radio and check boxes value then get option values
+ $obj_form = vsz_cf7_get_the_form_list(intval($fid));
+ $arr_form_tag = $obj_form[0]->scan_form_tags();
+ $option_value = array();
+ //Get option value field names
+ if(!empty($arr_form_tag)){
+ foreach($arr_form_tag as $key => $arr_type){
+
+ if(isset($arr_type['basetype']) && in_array($arr_type['basetype'],array('radio','checkbox'))){
+ $option_value[$arr_type['name']] = $arr_type['values'];
+ }
+ }
+ }
+ //Get field type related information
+ $vsz_cf7_field_type = array_map( 'sanitize_text_field', wp_unslash($_POST['vsz_cf7_field_type']));
+ //check CSV sheet column count and match key count are same or not
+ if(!empty($arrHeader) && !empty($arr_form_match_key)){
+
+ $key_define_column = array_map('strtolower', array_map('trim',$arr_form_match_key));
+ $arr_sheet_column = array_map('strtolower',array_map('trim',$arrHeader));
+
+ $arr_field_name = array();
+ //Get Sheet field name related contact form fields name and set in array
+ foreach($key_define_column as $fKey => $mKey){
+ if(!empty($arr_sheet_column) && in_array($mKey,$arr_sheet_column)){
+
+ $field_key = (int)array_search($mKey,$arr_sheet_column);
+ $arr_field_name[$fKey] = $field_key;
+ }
+ else{
+
+ }
+ }
+
+ //Check any field key match or not
+ if(!empty($arr_field_name)){
+
+ $updateIndex = 0;
+
+ //Get sheet related entries
+ while($data = fgetcsv($handle)){
+
+ //Counting the number of list in csv.
+ $num = count($data);
+ //Setup form key with related values
+ $arr_insert_info = array();
+ //Set all fields name related value in array
+ foreach($key_define_column as $fKey => $mKey){
+ //Check form key exist in field name array or not
+ if(array_key_exists($fKey,$arr_field_name)){
+ //Check field type is checkbox or radio
+ if(!empty($vsz_cf7_field_type) && array_key_exists($fKey,$vsz_cf7_field_type) && in_array($vsz_cf7_field_type[$fKey],$arr_option_type)){
+ //explode option field related value from sheet
+ $arr_option = explode(',',$data[$arr_field_name[$fKey]]);
+ $arr_insert_info[$fKey] = $arr_option;
+ }
+ else{
+ $arr_insert_info[$fKey] = $data[$arr_field_name[$fKey]];
+ }
+ }
+ else{
+ $arr_insert_info[$fKey] = '';
+ }
+ }
+ //Set submit time values if submit time value is empty
+ if(array_key_exists('submit_time',$arr_insert_info)){
+ //Check time value empty or not
+ $arr_insert_info['submit_time'] = trim($arr_insert_info['submit_time']);
+ $date_insert_flag = true;
+ if(!empty($arr_insert_info['submit_time']) && !empty($sheet_date_format)){
+ //Check date in valid format or not
+ $sub_date = date_create_from_format($sheet_date_format,$arr_insert_info['submit_time']);
+ if($sub_date !== false){
+ $date_insert_flag = false;
+ $arr_insert_info['submit_time'] = date_format($sub_date,"Y-m-d H:i:s");
+ }
+ }
+
+ //set default date and time in submit_time parameter
+ if($date_insert_flag){
+ $arr_insert_info['submit_time'] = date_i18n('Y-m-d H:i:s', time());
+ }
+ }
+
+ //Set submit if values if submit ip value is empty
+ if(array_key_exists('submit_ip',$arr_insert_info) && empty($arr_insert_info['submit_ip'])){
+ $arr_insert_info['submit_ip'] = '';
+ }
+
+ //Insert sheet related values in contact form Tables
+ if(!empty($arr_insert_info)){
+
+ //Get table name for data entry
+ $data_table_name = sanitize_text_field(VSZ_CF7_DATA_TABLE_NAME);
+ $data_entry_table_name = sanitize_text_field(VSZ_CF7_DATA_ENTRY_TABLE_NAME);
+
+ //Insert current form submission time in database
+ $time = gmdate('Y-m-d H:i:s');
+ $wpdb->query($wpdb->prepare("INSERT INTO {$wpdb->prefix}cf7_vdata(`created`) VALUES (%s)", $time));
+ //Get last inserted id
+ $data_id = (int)$wpdb->insert_id;
+
+ //Insert form values in custom data entry table
+ if(!empty($fid) && !empty($data_id)){
+ //Get not inserted fields value list
+ $cf7d_no_save_fields = vsz_cf7_no_save_fields();
+ foreach ($arr_insert_info as $k => $v) {
+ //Check not inserted fields name in array or not
+ if(in_array($k, $cf7d_no_save_fields)) {
+ continue;
+ }
+ else{
+ //If value is check box and radio button value then creaye single string
+ if(is_array($v)){
+ $v = array_map('trim',$v);
+ $v = implode("n", $v);
+ }
+ $k = htmlspecialchars($k);
+ //It is prevent JS injection
+ $v = sanitize_textarea_field($v);
+ //$v = htmlspecialchars($v);
+ $wpdb->query($wpdb->prepare("INSERT INTO {$wpdb->prefix}cf7_vdata_entry(`cf7_id`, `data_id`, `name`, `value`) VALUES (%d,%d,%s,%s)", $fid, $data_id, $k, $v));
+ }
+ }//Close foreach
+ $new_csv[] = 'success';
+ }//Close if for check not empty data and form id
+ else{
+ $errorMsg = 'This entry is not insert in Database.';
+ $data[$num] = $errorMsg;
+ $error_csv[$updateIndex] = array_combine($header, $data);
+ $updateIndex ++;
+ continue;
+ }
+ }//Close if for check insert array empty or not
+ $updateIndex ++;
+ }//Close while
+
+ //Display total number of record added
+ echo "<div class='updated notice notice-success is-dismissible'><p>New ".count($new_csv)." data submitted</p></div>";
+ }//Close if for check field key exist or not in array
+ else{
+ $vsz_cf7_csv_upload_error->add('field_not_matched','Uploaded file column names and field setting CSV key names are not matched.');
+ }//close else
+ }//Close if for check CSV sheet column count and match key count are same or not
+ else{
+ $vsz_cf7_csv_upload_error->add('field_not_set','Please check uploaded file columns or field setting CSV match keys.');
+ }
+ }//Close if for CSV file handle
+ else{
+ $vsz_cf7_csv_upload_error->add('file_not_opend','Something may be wrong, Please try again later.');
+ }
+ }//Close if for move uploaded file
+ else{
+ $vsz_cf7_csv_upload_error->add('file_not_moved','Something may be wrong, Please try again later.');
+ }
+ }//Close if for check file extension
+ else{
+ $vsz_cf7_csv_upload_error->add('file_format','Please upload only CSV file format.');
+ }
+}//Close if for submit
+
+//Display total number of errors
+if(count($error_csv) > 0){
+ $vsz_cf7_csv_upload_error->add('total_error','Total ' . count($error_csv) . ' errors are reported.');
+}
+
+//Check for error status
+if(is_wp_error($vsz_cf7_csv_upload_error)){
+ foreach($vsz_cf7_csv_upload_error->get_error_messages() as $error){
+ echo "<div class='notice error is-dismissible'><p>".esc_html($error)."</p></div>";
+ }
+}
+
+//generate error file if entry not insert in site
+if(count($error_csv) >= 1){
+
+ $error_file_name = "upload_error".gmdate("Y-m-d H:i:s:u").".csv";
+ $myfile = fopen(dirname(dirname(__FILE__))."/csv/".$error_file_name, 'w') or // @codingStandardsIgnoreLine
+ die("<div class='notice error is-dismissible'><p>Unable to open file!</p></div>");
+
+ array_unshift($error_csv,$header);
+
+ foreach ($error_csv as $fields){
+ fputcsv($myfile, $fields,',');
+ }
+ fclose($myfile); // @codingStandardsIgnoreLine
+
+ $fileNamePath = plugin_dir_url(dirname( __FILE__)).'csv/'.$error_file_name;
+
+ echo '<div class="notice error is-dismissible"><p>You can download the error file from <a href="'.esc_url($fileNamePath).'" target="_blank">here</a> </p></div>';
+}
--- a/advanced-cf7-db/advanced-cf7-db.php
+++ b/advanced-cf7-db/advanced-cf7-db.php
@@ -9,7 +9,7 @@
* Plugin Name: Advanced CF7 DB
* Plugin URI: https://wordpress.org/plugins/advanced-cf7-db/
* Description: Save all contact form 7 submitted data to the database, View, Export, ordering, Change field labels, Import data using CSV very easily.
- * Version: 2.0.9
+ * Version: 2.1.0
* Author: Vsourz Digital
* Author URI: https://www.vsourz.com
* License: GPL-2.0+
@@ -80,7 +80,7 @@
die;
}
global $vsz_cf7db_current_version;
-$vsz_cf7db_current_version = '2.0.9';
+$vsz_cf7db_current_version = '2.1.0';
/**
* Defining all the table names and setting their prefix here
*/
--- a/advanced-cf7-db/includes/vsz-cf7-db-function.php
+++ b/advanced-cf7-db/includes/vsz-cf7-db-function.php
@@ -50,7 +50,7 @@
$data_entry_table_name = sanitize_text_field(VSZ_CF7_DATA_ENTRY_TABLE_NAME);
//Insert current form submission time in database
- $time = date('Y-m-d H:i:s');
+ $time = gmdate('Y-m-d H:i:s');
$wpdb->query($wpdb->prepare("INSERT INTO {$wpdb->prefix}cf7_vdata(`created`) VALUES (%s)", $time));
//Get last inserted id
$data_id = $wpdb->insert_id;
@@ -118,10 +118,10 @@
if(!defined('vsz_cf7_display_ip')){
//Get submitted ip address
- $ip_address = (isset($_SERVER['X_FORWARDED_FOR']) && !empty(rest_is_ip_address(sanitize_text_field($_SERVER['X_FORWARDED_FOR'])))) ? sanitize_text_field($_SERVER['X_FORWARDED_FOR']) : "";
+ $ip_address = (isset($_SERVER['X_FORWARDED_FOR']) && !empty(rest_is_ip_address(sanitize_text_field(wp_unslash($_SERVER['X_FORWARDED_FOR']))))) ? sanitize_text_field(wp_unslash($_SERVER['X_FORWARDED_FOR'])) : "";
if(empty($ip_address)){
- $ip_address = (isset($_SERVER['REMOTE_ADDR']) && !empty(rest_is_ip_address(sanitize_text_field($_SERVER['REMOTE_ADDR'])))) ? sanitize_text_field($_SERVER['REMOTE_ADDR']) : "";
+ $ip_address = (isset($_SERVER['REMOTE_ADDR']) && !empty(rest_is_ip_address(sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR']))))) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : "";
}
if(!empty($ip_address)){
@@ -161,7 +161,7 @@
// $file = basename($val);
$file = pathinfo($val, PATHINFO_FILENAME);
$ext = pathinfo($val, PATHINFO_EXTENSION);
- $file_name = $file . date("Ymdh") . '.' . $ext;
+ $file_name = $file . gmdate("Ymdh") . '.' . $ext;
//Create unique file name
$file_name = wp_unique_filename($dir_upload, $file_name);
@@ -323,7 +323,8 @@
//Verify nonce value
if (iss
