Hi
Very cool… and I’m grateful.
I modified the code so I can download the text file for any form.
I tested the modified code and it works great. But, in your opinion, is it good and secure?
Here’s the modified code:
(Modified with the help of DeepSeek AI)
add_action(‘init’, function () {
// Check if the required parameters exist and Quform is active
if (!isset($_GET[‘download_schools_txt’]) || !isset($_GET[‘id’]) || !class_exists(‘Quform’)) {
return;
}
// Sanitize and validate the element ID (should be in format number_number e.g. 158_3)
$id = sanitize_text_field($_GET[‘id’]);
if (!preg_match(‘/^\d+_\d+$/’, $id)) {
wp_die(‘Invalid element ID’, ‘Error’, array(‘response’ => 400));
}
// Extract form ID from the element ID
list($form_id) = explode(‘_’, $id);
// Get form configuration
$config = quform(‘repository’)->getConfig($form_id);
if (!is_array($config)) {
wp_die(‘Form not found’, ‘Error’, array(‘response’ => 404));
}
// Create form instance
$form = quform(‘formFactory’)->create($config);
$select = $form->getElement(“quform_$id”);
if (!$select instanceof Quform_Element_Select) {
wp_die(‘Specified element is not a select dropdown’, ‘Error’, array(‘response’ => 400));
}
global $wpdb;
// Query to get submitted values for this element
$query = $wpdb->prepare(
“SELECT ed.value
FROM {$wpdb->prefix}quform_entry_data ed
LEFT JOIN {$wpdb->prefix}quform_entries e
ON ed.entry_id = e.id
WHERE e.form_id = %d AND e.status = ‘normal’ AND ed.element_id = %d”,
$form->getId(),
$select->getId()
);
$submitted = $wpdb->get_col($query);
$available_options = array();
// Collect options that haven’t been submitted
foreach ($select->getOptions() as $option) {
if (isset($option[‘value’]) && !in_array($option[‘value’], $submitted, true)) {
$available_options[] = $option[‘label’];
}
}
// Generate file content
$file_content = join(“\n”, $available_options);
// Create filename with element ID and timestamp
$filename = sprintf(‘available_options_%s_%d.txt’, $id, time());
// Send HTTP headers for file download
header(‘Content-Type: text/plain’);
header(‘Content-Disposition: attachment; filename=”‘ . $filename . ‘”‘);
header(‘Content-Length: ‘ . strlen($file_content));
header(‘Pragma: no-cache’);
header(‘Expires: 0’);
// Output content and terminate
echo $file_content;
exit;
});
Regards,
Abbas
