get_fields($form_id); $title = get_the_title($form_id); global $wpdb; $entries = $wpdb->get_results($wpdb->prepare("SELECT `post_id` FROM `" . $wpdb->prefix . "postmeta` WHERE `meta_key` = 'metform_entries__form_id' AND `meta_value` = %d", $form_id), OBJECT); $entries = (is_array($entries)) ? $entries : []; $export = []; $header = []; foreach ($entries as $entry) { $entry_modify = []; $form_entry = get_post_meta($entry->post_id, 'metform_entries__form_data', true); $form_entry = (is_array($form_entry) ? $form_entry : []); $file_entry = get_post_meta($entry->post_id, 'metform_entries__file_upload_new', true); $file_entry = (is_array($file_entry) ? $file_entry : []); $entry_data = array_merge($form_entry, $file_entry); $entry_data = (is_array($entry_data)) ? $entry_data : []; $entry_modify['ID'] = $entry->post_id; $header['__id'] = 'ID'; foreach ($fields as $key => $value) { $header_key = (($value->mf_input_name != '') ? htmlspecialchars($value->mf_input_name) : $key); $header[$header_key] = empty($value->mf_input_label) ? $key : htmlspecialchars($value->mf_input_label); if ($value->widgetType == 'mf-file-upload' && isset($entry_data[$key])) { $entry_modify[$header_key] = (isset($entry_data[$key]) ? ((isset($entry_data[$key]['url'])) ? $entry_data[$key]['url'] : ' ') : ' '); for ($index = 0; $index < isset( $entry_data[$key] ) && is_array($entry_data[$key]) ? count($entry_data[$key]) : 0 ; $index++) { $entry_modify[$header_key] .= (esc_url($entry_data[$key][$index]['url']) . " \n"); } } else if ($value->widgetType == 'mf-simple-repeater') { $data_string = ''; if (is_array($entry_data[$key])) { foreach ($entry_data[$key] as $key => $value) { $data_string .= htmlspecialchars($key) . ": " . htmlspecialchars($value) . " \n"; } } $entry_modify[$header_key] = $data_string; } else { $entry_modify[$header_key] = (isset($entry_data[$key]) ? ((is_array($entry_data[$key])) ? implode(', ', $entry_data[$key]) : ($entry_data[$key])) : ' '); } // Prevent CSV injection by prefixing a single quote to values that begin with '=', '+', '-', '@' if (preg_match('/^(\=|\+|\-|\@)/', $entry_modify[$header_key])) { $entry_modify[$header_key] = "'" . ltrim($entry_modify[$header_key], '='); // ltrim remove the equal sign from the formula `=HYPERLINK()` will be `HYPERLINK()` } } $entry_modify['DATE'] = get_the_date('d-m-Y', $entry->post_id); $export[] = $entry_modify; $header['__dt'] = 'DATE'; } $file_name = $title . "-export-" . time() . ".csv"; // Sanitize the file name to prevent directory traversal $file_name = sanitize_file_name($file_name); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header('Content-Description: File Transfer'); header("Content-type: text/csv"); // Sanitize the file name to prevent CSV injection header("Content-Disposition: attachment; filename=\"" . str_replace(array('"', "'", "\\", "\0"), '', $file_name) . "\""); header("Expires: 0"); header("Pragma: public"); $file_pointer = @fopen('php://output', 'w'); $csv_header = false; // sort data usort($export, function ($item1, $item2) { return $item1['ID'] <=> $item2['ID']; }); foreach ($export as $data) { // Add a header row if it hasn't been added yet if (!$csv_header) { // Use the keys from $data as the titles // Sanitize the header row to prevent CSV injection fputcsv($file_pointer, array_map(function ($value) { return str_replace(array('"', "'", "\\", "\0"), '', $value); }, $header)); $csv_header = true; } // Sanitize the data to prevent CSV injection $sanitized_data = array_map(function ($value) { return str_replace(array('"', "'", "\\", "\0"), '', $value); }, $data); // Put the sanitized data into the stream fputcsv($file_pointer, $sanitized_data); } // Close the file fclose($file_pointer); exit; } }