Bug on submitted_fields JS variable and GFFormsModel::get_submitted_fields()

This function doesn’t validate that the results from “SELECT DISTINCT meta_key” from entry_meta are actually field IDs, only applies an intval() function to them, and thus ends up adding random field IDs (real or not) that don’t correspond to actual submissions.

E.g.: file uploads seem to get an entry_meta entry, with a hash as “meta_key”. When running a hash like “009a3b4ae3fc6774ba9ab9878662fc4e4e4e4b1b294cec2f7f91bad2a08acd0210a0ff633c51f0eeb81dd684f33c29fd9a4492e2a4b2e73e1fd0f3c3970ef8a1” through intval(), it gets incorrectly converted as representing a field Id of 9, which may or may not exist and may or may not actually have entries.

In a form with a lot of file uploads in past entries, you get a huge list of random/incorrect submitted_fields IDs with repeat numbers like 42700000000, zeros, etc., and this results in options (e.g. multiple file toggle on file fields) being grayed out incorrectly even if no real entries included that field yet. In my case it added 68kb to every form page load, too.

Current code:

$fields                 = $wpdb->get_results( $wpdb->prepare( "SELECT DISTINCT meta_key FROM $entry_meta_table_name WHERE form_id=%d", $form_id ) );
		foreach ( $fields as $field ) {
			$field_list .= intval( $field->meta_key ) . ',';

Example solution:

		foreach ( $fields as $field ) {
			if(strval(intval( $field->meta_key ))==strval($field->meta_key)){
1 Like

Hello. The product team is aware of the issue and have an open investigation for it already. It will be fixed in a future version. Thank you.