comparison: www/includes/db_profile_mash.php
www/includes/db_profile_mash.php
- changeset 120
- b28a3d6143bc
- parent 77
- a9f8de2d7b2b
- child 213
- b0d484a5525e
equal
deleted
inserted
replaced
| 119:ae5e8d740173 | 120:b28a3d6143bc |
|---|---|
| 10 } | 10 } |
| 11 mysqli_set_charset($connect, "utf8" ); | 11 mysqli_set_charset($connect, "utf8" ); |
| 12 | 12 |
| 13 $escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c"); | 13 $escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c"); |
| 14 $replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b"); | 14 $replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b"); |
| 15 $rescapers = array("'"); | |
| 16 $rreplacements = array("\\'"); | |
| 17 $disallowed = array('visibleindex','uniqueid','boundindex','uid'); | |
| 15 | 18 |
| 16 // get data and store in a json array | 19 // get data and store in a json array |
| 17 $query = "SELECT * FROM profile_mash ORDER BY name"; | 20 $query = "SELECT * FROM profile_mash ORDER BY name"; |
| 18 if (isset($_GET['insert'])) { | 21 if (isset($_GET['insert']) || isset($_GET['update'])) { |
| 19 // INSERT COMMAND | 22 if (isset($_GET['insert'])) { |
| 20 $sql = "INSERT INTO `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); | 23 $sql = "INSERT INTO"; |
| 24 } | |
| 25 if (isset($_GET['update'])) { | |
| 26 $sql = "UPDATE"; | |
| 27 } | |
| 28 $sql .= " `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); | |
| 21 $sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']); | 29 $sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']); |
| 22 $sql .= "', steps='" . json_encode($_GET['steps']); | 30 $array = $_GET['steps']; |
| 23 $sql .= "';"; | 31 foreach($array as $key => $item){ |
| 32 foreach ($disallowed as $disallowed_key) { | |
| 33 unset($array[$key]["$disallowed_key"]); | |
| 34 } | |
| 35 } | |
| 36 $sql .= "', steps='" . str_replace($rescapers,$rreplacements,json_encode($array)); | |
| 37 if (isset($_GET['insert'])) { | |
| 38 $sql .= "';"; | |
| 39 } | |
| 40 if (isset($_GET['update'])) { | |
| 41 $sql .= "' WHERE record='" . $_GET['record'] . "';"; | |
| 42 } | |
| 24 $result = mysqli_query($connect, $sql); | 43 $result = mysqli_query($connect, $sql); |
| 25 if (! $result) { | 44 if (! $result) { |
| 26 syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect)); | 45 syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect)); |
| 27 } else { | 46 } else { |
| 28 syslog(LOG_NOTICE, "db_profile_mash: inserted ".$_GET['name']); | 47 if (isset($_GET['update'])) { |
| 29 } | 48 syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']); |
| 30 echo $result; | 49 } else { |
| 31 | 50 $lastid = mysqli_insert_id($connect); |
| 32 } else if (isset($_GET['update'])) { | 51 syslog(LOG_NOTICE, "db_profile_mash: inserted record ".$lastid); |
| 33 // UPDATE COMMAND | 52 } |
| 34 $sql = "UPDATE `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); | |
| 35 $sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']); | |
| 36 $sql .= "', steps='" . json_encode($_GET['steps']); | |
| 37 $sql .= "' WHERE record='" . $_GET['record'] . "';"; | |
| 38 $result = mysqli_query($connect, $sql); | |
| 39 if (! $result) { | |
| 40 syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect)); | |
| 41 } else { | |
| 42 syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']); | |
| 43 } | 53 } |
| 44 echo $result; | 54 echo $result; |
| 45 | 55 |
| 46 } else if (isset($_GET['delete'])) { | 56 } else if (isset($_GET['delete'])) { |
| 47 // DELETE COMMAND | 57 // DELETE COMMAND |
