diff -r ae5e8d740173 -r b28a3d6143bc www/includes/db_profile_mash.php --- a/www/includes/db_profile_mash.php Sat Dec 01 22:24:46 2018 +0100 +++ b/www/includes/db_profile_mash.php Wed Dec 05 14:16:39 2018 +0100 @@ -12,34 +12,44 @@ $escapers = array("\\", "/", "\"", "\n", "\r", "\t", "\x08", "\x0c"); $replacements = array("\\\\", "\\/", "\\\"", "\\n", "\\r", "\\t", "\\f", "\\b"); +$rescapers = array("'"); +$rreplacements = array("\\'"); +$disallowed = array('visibleindex','uniqueid','boundindex','uid'); // get data and store in a json array $query = "SELECT * FROM profile_mash ORDER BY name"; -if (isset($_GET['insert'])) { - // INSERT COMMAND - $sql = "INSERT INTO `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); +if (isset($_GET['insert']) || isset($_GET['update'])) { + if (isset($_GET['insert'])) { + $sql = "INSERT INTO"; + } + if (isset($_GET['update'])) { + $sql = "UPDATE"; + } + $sql .= " `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); $sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']); - $sql .= "', steps='" . json_encode($_GET['steps']); - $sql .= "';"; + $array = $_GET['steps']; + foreach($array as $key => $item){ + foreach ($disallowed as $disallowed_key) { + unset($array[$key]["$disallowed_key"]); + } + } + $sql .= "', steps='" . str_replace($rescapers,$rreplacements,json_encode($array)); + if (isset($_GET['insert'])) { + $sql .= "';"; + } + if (isset($_GET['update'])) { + $sql .= "' WHERE record='" . $_GET['record'] . "';"; + } $result = mysqli_query($connect, $sql); if (! $result) { syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect)); } else { - syslog(LOG_NOTICE, "db_profile_mash: inserted ".$_GET['name']); - } - echo $result; - -} else if (isset($_GET['update'])) { - // UPDATE COMMAND - $sql = "UPDATE `profile_mash` SET name='" . mysqli_real_escape_string($connect, $_GET['name']); - $sql .= "', notes='" . mysqli_real_escape_string($connect, $_GET['notes']); - $sql .= "', steps='" . json_encode($_GET['steps']); - $sql .= "' WHERE record='" . $_GET['record'] . "';"; - $result = mysqli_query($connect, $sql); - if (! $result) { - syslog(LOG_NOTICE, "db_profile_mash: ".$sql." result: ".mysqli_error($connect)); - } else { - syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']); + if (isset($_GET['update'])) { + syslog(LOG_NOTICE, "db_profile_mash: updated record ".$_GET['record']); + } else { + $lastid = mysqli_insert_id($connect); + syslog(LOG_NOTICE, "db_profile_mash: inserted record ".$lastid); + } } echo $result;