Formit custom hook set emailTo from db by selected id

I have a form with a select box that lists possible recipient ids which are generated from a custom table using migxLoopCollection. I know want to create a custom hook which takes in the selected recipient id and sets the emailTo property accordingly.

Here’s what I got so far:

// get id value from select input
$teamId = $hook->getValue('recipient');

// get email from id
$teamEmail = $modx->query("SELECT email FROM team WHERE id=$teamId");

// check for result
if (!is_object($teamEmail)) {
  // no - return error
  $hook->addError('recipient','Recipient invalid.');
  return $hook->hasErrors();
else {
  // yes - set email
  $hook->formit->config['emailTo'] = $teamEmail;
  return true;

Is this the proper way to do this?

How would I make sure the selected recipient value does not contain any malicious content, as I use this value in the query?

In this case, the best solution is probably to cast the value to an integer.

$teamId = (int) $hook->getValue('recipient');
// or alternatively
$teamId = intval($hook->getValue('recipient'));

Also maybe take a look at prepared statements or use xPDO.

$teamEmail is of type PDOStatement. Don’t assign it directly to the config.

$hook->formit->config['emailTo'] = $teamEmail;

Use fetch() or fetchColumn() first.

$hook->formit->config['emailTo'] = $teamEmail->fetchColumn();
1 Like

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.