Mercurial > bms / file diff

diff: www/includes/db_profile_mash.php

www/includes/db_profile_mash.php

changeset 120
b28a3d6143bc
parent 77
a9f8de2d7b2b
child 213
b0d484a5525e
--- a/www/includes/db_profile_mash.php	Sat Dec 01 22:24:46 2018 +0100
+++ b/www/includes/db_profile_mash.php	Wed Dec 05 14:16:39 2018 +0100
@@ -12,34 +12,44 @@
 
 $escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c");
 $replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b");
+$rescapers = array("'");
+$rreplacements = array("\\'");
+$disallowed = array('visibleindex','uniqueid','boundindex','uid');
 
 // get data and store in a json array
 $query = "SELECT * FROM profile_mash ORDER BY name";
-if (isset($_GET['insert'])) {
-	// INSERT COMMAND
-	$sql  = "INSERT INTO `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']);
+if (isset($_GET['insert']) || isset($_GET['update'])) {
+	if (isset($_GET['insert'])) {
+		$sql  = "INSERT INTO";
+	}
+	if (isset($_GET['update'])) {
+		$sql  = "UPDATE";
+	}
+	$sql .= " `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']);
 	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']);
-	$sql .= "', steps='" . json_encode($_GET['steps']);
-	$sql .= "';";
+	$array = $_GET['steps'];
+	foreach($array as $key => $item){
+		foreach ($disallowed as $disallowed_key) {
+			unset($array[$key]["$disallowed_key"]);
+		}
+	}
+	$sql .= "', steps='" . str_replace($rescapers,$rreplacements,json_encode($array));
+	if (isset($_GET['insert'])) {
+		$sql .= "';";
+	}
+	if (isset($_GET['update'])) {
+		$sql .= "' WHERE record='" . $_GET['record'] . "';";
+	}
 	$result = mysqli_query($connect, $sql);
 	if (! $result) {
 		syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect));
 	} else {
-		syslog(LOG_NOTICE, "db_profile_mash: inserted ".$_GET['name']);
-	}
-	echo $result;
-
-} else if (isset($_GET['update'])) {
-	// UPDATE COMMAND
-	$sql  = "UPDATE `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']);
-	$sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']);
-	$sql .= "', steps='" . json_encode($_GET['steps']);
-	$sql .= "' WHERE record='" . $_GET['record'] . "';";
-	$result = mysqli_query($connect, $sql);
-	if (! $result) {
-		syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect));
-	} else {
-		syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']);
+		if (isset($_GET['update'])) {
+			syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']);
+		} else {
+			$lastid = mysqli_insert_id($connect);
+			syslog(LOG_NOTICE, "db_profile_mash: inserted record ".$lastid);
+		}
 	}
 	echo $result;

Mercurial Repository: bms

mercurial