Mercurial > bms / file diff

--- a/www/includes/db_profile_mash.php	Tue Apr 13 16:54:26 2021 +0200
+++ b/www/includes/db_profile_mash.php	Tue Apr 13 16:55:25 2021 +0200
@@ -10,11 +10,8 @@
 }
 mysqli_set_charset($connect, "utf8" );
 
-$escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c");
-$replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b");
 $rescapers = array("'");
 $rreplacements = array("\\'");
-$disallowed = array('visibleindex','uniqueid','boundindex','uid');
 
 if (isset($_POST['insert']) || isset($_POST['update'])) {
 	if (isset($_POST['insert'])) {
@@ -79,7 +76,7 @@
 
 } else {
 	// SELECT COMMAND
-	$query = "SELECT * FROM profile_mash ORDER BY name";
+	$query = "SELECT record,JSON_QUOTE(name),JSON_QUOTE(notes),steps FROM profile_mash ORDER BY name";
 	$result = mysqli_query($connect, $query) or die("SQL Error 1: " . mysqli_error($connect));
 	$mashprofiles = '[';
 	$comma = FALSE;
@@ -89,11 +86,12 @@
 			$mashprofiles .= ',';
 		}
 		$comma = TRUE;
-		$mashprofiles .= '{"record":' . $row['record'];
-	        $mashprofiles .= ',"name":"'  . str_replace($escapers, $replacements, $row['name']);
-		$mashprofiles .= '","notes":"' . str_replace($escapers, $replacements, $row['notes']);
-		$mashprofiles .= '","steps":' . $row['steps'];
-		$mashprofiles .= '}';
+		$mashprofile  = '{"record":' . $row['record'];
+		$mashprofile .= ',"name":'  . $row['JSON_QUOTE(name)'];
+		$mashprofile .= ',"notes":' . $row['JSON_QUOTE(notes)'];
+		$mashprofile .= ',"steps":' . $row['steps'] . '}';
+//syslog(LOG_NOTICE, $mashprofile);
+		$mashprofiles .= $mashprofile;
 	}
 	$mashprofiles .= ']';
 	header("Content-type: application/json");