--- a/www/includes/db_profile_mash.php Tue Apr 13 16:54:26 2021 +0200 +++ b/www/includes/db_profile_mash.php Tue Apr 13 16:55:25 2021 +0200 @@ -10,11 +10,8 @@ } mysqli_set_charset($connect, "utf8" ); -$escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c"); -$replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b"); $rescapers = array("'"); $rreplacements = array("\\'"); -$disallowed = array('visibleindex','uniqueid','boundindex','uid'); if (isset($_POST['insert']) || isset($_POST['update'])) { if (isset($_POST['insert'])) { @@ -79,7 +76,7 @@ } else { // SELECT COMMAND - $query = "SELECT * FROM profile_mash ORDER BY name"; + $query = "SELECT record,JSON_QUOTE(name),JSON_QUOTE(notes),steps FROM profile_mash ORDER BY name"; $result = mysqli_query($connect, $query) or die("SQL Error 1: " . mysqli_error($connect)); $mashprofiles = '['; $comma = FALSE; @@ -89,11 +86,12 @@ $mashprofiles .= ','; } $comma = TRUE; - $mashprofiles .= '{"record":' . $row['record']; - $mashprofiles .= ',"name":"' . str_replace($escapers, $replacements, $row['name']); - $mashprofiles .= '","notes":"' . str_replace($escapers, $replacements, $row['notes']); - $mashprofiles .= '","steps":' . $row['steps']; - $mashprofiles .= '}'; + $mashprofile = '{"record":' . $row['record']; + $mashprofile .= ',"name":' . $row['JSON_QUOTE(name)']; + $mashprofile .= ',"notes":' . $row['JSON_QUOTE(notes)']; + $mashprofile .= ',"steps":' . $row['steps'] . '}'; +//syslog(LOG_NOTICE, $mashprofile); + $mashprofiles .= $mashprofile; } $mashprofiles .= ']'; header("Content-type: application/json");