diff --git a/application/config/config.sample.php b/application/config/config.sample.php index 115b87b46..3dc42eaa5 100644 --- a/application/config/config.sample.php +++ b/application/config/config.sample.php @@ -513,7 +513,11 @@ $config['sess_driver'] = 'files'; $config['sess_cookie_name'] = 'ci_cloudlog'; $config['sess_expiration'] = 0; -$config['sess_save_path'] = '/tmp'; +$cloudlog_session_path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'cloudlog_' . md5((string) (realpath(FCPATH) ?: FCPATH)) . '_sessions'; +if (!is_dir($cloudlog_session_path)) { + @mkdir($cloudlog_session_path, 0700, true); +} +$config['sess_save_path'] = $cloudlog_session_path; $config['sess_match_ip'] = FALSE; $config['sess_time_to_update'] = 300; $config['sess_regenerate_destroy'] = FALSE; diff --git a/application/config/migration.php b/application/config/migration.php index a691c9281..dd480fe85 100644 --- a/application/config/migration.php +++ b/application/config/migration.php @@ -22,7 +22,7 @@ | */ -$config['migration_version'] = 271; +$config['migration_version'] = 272; /* |-------------------------------------------------------------------------- diff --git a/application/controllers/Awards.php b/application/controllers/Awards.php index 293790327..430522aba 100644 --- a/application/controllers/Awards.php +++ b/application/controllers/Awards.php @@ -84,7 +84,7 @@ public function dok() } if ($logbooks_locations_array) { - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $data['dok_array'] = $this->dok->get_dok_array($bands, $postdata, $location_list); $data['dok_summary'] = $this->dok->get_dok_summary($bands, $postdata, $location_list); } else { @@ -1715,7 +1715,7 @@ public function get_dxcc_qsos() { $this->load->model('logbooks_model'); - $dxcc_id = $this->security->xss_clean($this->input->post('dxcc_id')); + $dxcc_id = (int) $this->security->xss_clean($this->input->post('dxcc_id')); $limit = $this->security->xss_clean($this->input->post('limit')) ?: 20; if (!$dxcc_id || !is_numeric($dxcc_id)) { @@ -1732,7 +1732,7 @@ public function get_dxcc_qsos() return; } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); try { // Get QSOs for this DXCC @@ -1776,7 +1776,7 @@ public function get_dxcc_qsos_by_status() { $this->load->model('logbooks_model'); - $dxcc_id = $this->security->xss_clean($this->input->post('dxcc_id')); + $dxcc_id = (int) $this->security->xss_clean($this->input->post('dxcc_id')); $status = $this->security->xss_clean($this->input->post('status')); $limit = $this->security->xss_clean($this->input->post('limit')) ?: 100; @@ -1794,7 +1794,7 @@ public function get_dxcc_qsos_by_status() return; } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); try { // Build WHERE clause for status filter @@ -1864,7 +1864,7 @@ public function get_continent_qsos() return; } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); try { // Get all DXCC entities for this continent with their status in a single query @@ -1881,7 +1881,7 @@ public function get_continent_qsos() END as status FROM dxcc_entities d LEFT JOIN " . $this->config->item('table_name') . " c ON d.adif = c.col_dxcc AND c.station_id IN (" . $location_list . ") - WHERE d.cont = '" . $this->db->escape_like_str($continent_code) . "' + WHERE d.cont = '" . $this->db->escape_str($continent_code) . "' GROUP BY d.adif, d.name, d.prefix, d.cont ORDER BY d.name ASC "); diff --git a/application/controllers/Contesting.php b/application/controllers/Contesting.php index 6d8653421..d7d2d77bc 100644 --- a/application/controllers/Contesting.php +++ b/application/controllers/Contesting.php @@ -121,7 +121,7 @@ public function edit($id) { $this->load->model('Contesting_model'); $this->load->library('form_validation'); - $item_id_clean = $this->security->xss_clean($id); + $item_id_clean = (int) $id; $data['contest'] = $this->Contesting_model->contest($item_id_clean); diff --git a/application/controllers/Labels.php b/application/controllers/Labels.php index 181a23afe..731542a17 100644 --- a/application/controllers/Labels.php +++ b/application/controllers/Labels.php @@ -143,7 +143,7 @@ public function printids() { } public function print($station_id) { - $clean_id = xss_clean($station_id); + $clean_id = (int) $station_id; $offset = xss_clean($this->input->post('startat')); $grid = xss_clean($this->input->post('grid') ?? 0); $via = xss_clean($this->input->post('via') ?? 0); @@ -397,7 +397,7 @@ function generateLabel($pdf, $current_callsign, $tableData,$numofqsos,$qso,$orie public function edit($id) { $this->load->model('labels_model'); - $cleanid = $this->security->xss_clean($id); + $cleanid = (int) $id; $data['label'] = $this->labels_model->getLabel($cleanid,$this->session->userdata('user_id')); @@ -425,7 +425,7 @@ public function delete($id) { } public function saveDefaultLabel() { - $id = $this->input->post('id'); + $id = (int) $this->input->post('id'); $this->load->model('labels_model'); $this->labels_model->saveDefaultLabel($id); } @@ -438,7 +438,7 @@ public function startAtLabel() { public function editPaper($id) { $this->load->model('labels_model'); - $cleanid = $this->security->xss_clean($id); + $cleanid = (int) $id; $data['paper'] = $this->labels_model->getPaper($cleanid); @@ -455,7 +455,7 @@ public function updatePaper($id) { $this->labels_model->updatePaper($id); } catch (\Throwable $th) { $this->session->set_flashdata('error', 'Your paper could not be saved. Remember that it can\'t have the same name as existing paper types.'); - $cleanid = $this->security->xss_clean($id); + $cleanid = (int) $id; redirect('labels/editpaper/'.$cleanid); } $this->session->set_flashdata('message', 'Paper was saved.'); diff --git a/application/controllers/Lookup.php b/application/controllers/Lookup.php index 4b7228922..fd2ca1817 100644 --- a/application/controllers/Lookup.php +++ b/application/controllers/Lookup.php @@ -31,7 +31,7 @@ public function search() { $CI->load->model('logbooks_model'); $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $this->load->model('lookup_model'); $this->load->model('bands'); diff --git a/application/controllers/Oqrs.php b/application/controllers/Oqrs.php index ab9ca35bd..f043e84c1 100644 --- a/application/controllers/Oqrs.php +++ b/application/controllers/Oqrs.php @@ -122,7 +122,7 @@ public function requests() { $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); if ($logbooks_locations_array) { - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); } else { $location_list = null; } diff --git a/application/controllers/Themes.php b/application/controllers/Themes.php index 2420e6896..fea4906d0 100644 --- a/application/controllers/Themes.php +++ b/application/controllers/Themes.php @@ -56,7 +56,7 @@ public function edit($id) $this->load->model('Themes_model'); - $item_id_clean = $this->security->xss_clean($id); + $item_id_clean = (int) $id; $data['theme'] = $this->Themes_model->theme($item_id_clean); diff --git a/application/controllers/Visitor.php b/application/controllers/Visitor.php index 628adf79a..4eea12595 100644 --- a/application/controllers/Visitor.php +++ b/application/controllers/Visitor.php @@ -237,7 +237,7 @@ public function satellites() $data['page_title'] = "Public Gridsquare Map"; // Get available bands for this logbook - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // Get bands (excluding satellites) $bands_query = $this->db->query( diff --git a/application/migrations/272_tag_2_8_15.php b/application/migrations/272_tag_2_8_15.php new file mode 100644 index 000000000..941225e56 --- /dev/null +++ b/application/migrations/272_tag_2_8_15.php @@ -0,0 +1,30 @@ +db->where('option_name', 'version'); + $this->db->update('options', array('option_value' => '2.8.15')); + + // Trigger Version Info Dialog + $this->db->where('option_type', 'version_dialog'); + $this->db->where('option_name', 'confirmed'); + $this->db->update('user_options', array('option_value' => 'false')); + + } + + public function down() + { + $this->db->where('option_name', 'version'); + $this->db->update('options', array('option_value' => '2.8.14')); + } +} \ No newline at end of file diff --git a/application/models/Accumulate_model.php b/application/models/Accumulate_model.php index fe4cfca90..8f1765bbf 100644 --- a/application/models/Accumulate_model.php +++ b/application/models/Accumulate_model.php @@ -12,7 +12,10 @@ function get_accumulated_data($band, $award, $mode, $period) { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_ids = array_map('intval', $logbooks_locations_array); + $location_list = implode(',', $location_ids); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); switch ($award) { case 'dxcc': $result = $this->get_accumulated_dxcc($band, $mode, $period, $location_list); break; diff --git a/application/models/Activated_gridmap_model.php b/application/models/Activated_gridmap_model.php index d757723c2..0b573f9a5 100644 --- a/application/models/Activated_gridmap_model.php +++ b/application/models/Activated_gridmap_model.php @@ -11,7 +11,10 @@ function get_band_confirmed($band, $mode, $qsl, $lotw, $eqsl, $qrz, $sat) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT DISTINCT station_gridsquare AS GRID_SQUARES, COL_BAND FROM ' . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id ' @@ -48,7 +51,10 @@ function get_band($band, $mode, $qsl, $lotw, $eqsl, $qrz, $sat) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT DISTINCT station_gridsquare AS GRID_SQUARES, COL_BAND FROM ' . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id ' @@ -84,7 +90,10 @@ function get_band_worked_vucc_squares($band, $mode, $qsl, $lotw, $eqsl, $qrz, $s return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct COL_VUCC_GRIDS, COL_BAND FROM ' .$this->config->item('table_name') @@ -121,7 +130,10 @@ function get_band_confirmed_vucc_squares($band, $mode, $qsl, $lotw, $eqsl, $qrz, return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct COL_VUCC_GRIDS, COL_BAND FROM ' .$this->config->item('table_name') @@ -188,7 +200,7 @@ function get_worked_modes() { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked modes from database $data = $this->db->query( diff --git a/application/models/Activators_model.php b/application/models/Activators_model.php index 687fb6aad..67f16b10c 100644 --- a/application/models/Activators_model.php +++ b/application/models/Activators_model.php @@ -3,6 +3,21 @@ class Activators_model extends CI_Model { + private function normalize_location_ids($location_list) { + if (!is_array($location_list)) { + return array(); + } + + $ids = array(); + foreach ($location_list as $id) { + if (is_numeric($id)) { + $ids[] = (int) $id; + } + } + + return array_values(array_unique($ids)); + } + function get_activators($band, $mincount, $leogeo) { $CI =& get_instance(); $CI->load->model('logbooks_model'); @@ -16,36 +31,44 @@ function get_activators($band, $mincount, $leogeo) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_ids = $this->normalize_location_ids($logbooks_locations_array); + if (empty($location_ids)) { + return null; + } - $sql = "select COL_CALL as `call`, COUNT(DISTINCT(SUBSTR(COL_GRIDSQUARE,1,4))) AS `count`, GROUP_CONCAT(DISTINCT SUBSTR(`COL_GRIDSQUARE`,1,4) ORDER BY `COL_GRIDSQUARE` SEPARATOR ', ') AS `grids` from ".$this->config->item('table_name')." WHERE station_id in (" . $location_list . ")"; + $this->db->select("COL_CALL as `call`, COUNT(DISTINCT(SUBSTR(COL_GRIDSQUARE,1,4))) AS `count`, GROUP_CONCAT(DISTINCT SUBSTR(`COL_GRIDSQUARE`,1,4) ORDER BY `COL_GRIDSQUARE` SEPARATOR ', ') AS `grids`", false); + $this->db->from($this->config->item('table_name')); + $this->db->where_in('station_id', $location_ids); if ($band != 'All') { if ($band == 'SAT') { switch ($leogeo) { case 'both' : - $sql .= " and col_prop_mode ='" . $band . "'"; + $this->db->where('col_prop_mode', $band); break; case 'leo' : - $sql .= " and col_prop_mode = '" . $band . "'"; - $sql .= " and col_sat_name != 'QO-100'"; + $this->db->where('col_prop_mode', $band); + $this->db->where('col_sat_name !=', 'QO-100'); break; case 'geo' : - $sql .= " and col_prop_mode = '" . $band . "'"; - $sql .= " and col_sat_name = 'QO-100'"; + $this->db->where('col_prop_mode', $band); + $this->db->where('col_sat_name', 'QO-100'); break; default : - $sql .= " and col_prop_mode ='" . $band . "'"; + $this->db->where('col_prop_mode', $band); break; } } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and COL_BAND ='" . $band . "'"; + $this->db->where('col_prop_mode !=', 'SAT'); + $this->db->where('COL_BAND', $band); } } - $sql .= " AND `COL_GRIDSQUARE` != '' GROUP BY `COL_CALL` HAVING `count` >= ".$mincount." ORDER BY `count` DESC;"; + $this->db->where('COL_GRIDSQUARE !=', ''); + $this->db->group_by('COL_CALL'); + $this->db->having('COUNT(DISTINCT(SUBSTR(COL_GRIDSQUARE,1,4))) >=', (int) $mincount, false); + $this->db->order_by('count', 'DESC', false); - $query = $this->db->query($sql); + $query = $this->db->get(); return $query->result(); } @@ -59,36 +82,42 @@ function get_activators_vucc($band, $leogeo) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_ids = $this->normalize_location_ids($logbooks_locations_array); + if (empty($location_ids)) { + return null; + } - $sql = "SELECT DISTINCT COL_CALL AS `call`, GROUP_CONCAT(COL_VUCC_GRIDS) AS `vucc_grids` FROM ".$this->config->item('table_name')." WHERE station_id in (" . $location_list . ")"; + $this->db->select('COL_CALL AS `call`, GROUP_CONCAT(COL_VUCC_GRIDS) AS `vucc_grids`', false); + $this->db->from($this->config->item('table_name')); + $this->db->where_in('station_id', $location_ids); if ($band != 'All') { if ($band == 'SAT') { switch ($leogeo) { case 'both' : - $sql .= " and col_prop_mode ='" . $band . "'"; + $this->db->where('col_prop_mode', $band); break; case 'leo' : - $sql .= " and col_prop_mode = '" . $band . "'"; - $sql .= " and col_sat_name != 'QO-100'"; + $this->db->where('col_prop_mode', $band); + $this->db->where('col_sat_name !=', 'QO-100'); break; case 'geo' : - $sql .= " and col_prop_mode = '" . $band . "'"; - $sql .= " and col_sat_name = 'QO-100'"; + $this->db->where('col_prop_mode', $band); + $this->db->where('col_sat_name', 'QO-100'); break; default : - $sql .= " and col_prop_mode ='" . $band . "'"; + $this->db->where('col_prop_mode', $band); break; } } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and COL_BAND ='" . $band . "'"; + $this->db->where('col_prop_mode !=', 'SAT'); + $this->db->where('COL_BAND', $band); } } - $sql .= " AND COL_VUCC_GRIDS != '' GROUP BY COL_CALL;"; + $this->db->where('COL_VUCC_GRIDS !=', ''); + $this->db->group_by('COL_CALL'); - $query = $this->db->query($sql); + $query = $this->db->get(); return $query->result(); } @@ -101,12 +130,19 @@ function get_max_activated_grids() { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_ids = $this->normalize_location_ids($logbooks_locations_array); + if (empty($location_ids)) { + return array(); + } - // Get max no of activated grids of single operator - $data = $this->db->query( - "select COUNT(DISTINCT(SUBSTR(COL_GRIDSQUARE,1,4))) AS `count` from " . $this->config->item('table_name') . " WHERE station_id in (" . $location_list . ") AND `COL_GRIDSQUARE` != '' GROUP BY `COL_CALL` ORDER BY `count` DESC LIMIT 1" - ); + $this->db->select('COUNT(DISTINCT(SUBSTR(COL_GRIDSQUARE,1,4))) AS `count`', false); + $this->db->from($this->config->item('table_name')); + $this->db->where_in('station_id', $location_ids); + $this->db->where('COL_GRIDSQUARE !=', ''); + $this->db->group_by('COL_CALL'); + $this->db->order_by('count', 'DESC', false); + $this->db->limit(1); + $data = $this->db->get(); foreach($data->result() as $row){ $max = $row->count; } diff --git a/application/models/Adif_data.php b/application/models/Adif_data.php index ba8517900..58acb2d9d 100644 --- a/application/models/Adif_data.php +++ b/application/models/Adif_data.php @@ -126,10 +126,10 @@ function export_custom($from, $to, $station_id, $exportLotw = false) { // If date is set, we format the date and add it to the where-statement if ($from) { - $this->db->where("date(".$this->config->item('table_name').".COL_TIME_ON) >= '".$from."'"); + $this->db->where('DATE('.$this->config->item('table_name').'.COL_TIME_ON) >= '.$this->db->escape($from), NULL, FALSE); } if ($to) { - $this->db->where("date(".$this->config->item('table_name').".COL_TIME_ON) <= '".$to."'"); + $this->db->where('DATE('.$this->config->item('table_name').'.COL_TIME_ON) <= '.$this->db->escape($to), NULL, FALSE); } if ($exportLotw) { $this->db->group_start(); diff --git a/application/models/Bands.php b/application/models/Bands.php index 489c981fa..675d285bf 100644 --- a/application/models/Bands.php +++ b/application/models/Bands.php @@ -193,7 +193,7 @@ function get_worked_bands($award = 'None') { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked slots from database $data = $this->db->query( @@ -233,7 +233,7 @@ function get_worked_bands_distances() { if (!$logbooks_locations_array) { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked slots from database $sql = "SELECT distinct LOWER(COL_BAND) as COL_BAND FROM ".$this->config->item('table_name')." WHERE station_id in (" . $location_list . ")"; @@ -265,7 +265,7 @@ function get_worked_sats() { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked sats from database $sql = "SELECT distinct col_sat_name FROM ".$this->config->item('table_name')." WHERE station_id in (" . $location_list . ") and coalesce(col_sat_name, '') <> '' ORDER BY col_sat_name"; @@ -289,7 +289,7 @@ function get_worked_bands_dok() { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked slots from database $data = $this->db->query( @@ -321,7 +321,7 @@ function get_worked_powers() { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked powers from database $sql = "SELECT distinct col_tx_pwr FROM ".$this->config->item('table_name')." WHERE station_id in (" . $location_list . ") ORDER BY col_tx_pwr"; @@ -416,8 +416,10 @@ function add() { $this->db->insert('bands', $data); } - $this->db->query("insert into bandxuser (bandid, userid, active, cq, dok, dxcc, iota, pota, sig, sota, uscounties, was, wwff, vucc) - select bands.id, " . $this->session->userdata('user_id') . ", 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from bands where band ='".$data['band']."' and not exists (select 1 from bandxuser where userid = " . $this->session->userdata('user_id') . " and bandid = bands.id);"); + $user_id = (int) $this->session->userdata('user_id'); + $sql = "insert into bandxuser (bandid, userid, active, cq, dok, dxcc, iota, pota, sig, sota, uscounties, was, wwff, vucc) + select bands.id, ?, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from bands where band = ? and not exists (select 1 from bandxuser where userid = ? and bandid = bands.id)"; + $this->db->query($sql, array($user_id, $data['band'], $user_id)); } function getband($id) { @@ -442,10 +444,12 @@ function saveupdatedband($id, $band) { } function get_worked_bands_oqrs($station_id) { + $station_id = (int) $station_id; // get all worked slots from database $data = $this->db->query( - "SELECT distinct LOWER(`COL_BAND`) as `COL_BAND` FROM `".$this->config->item('table_name')."` WHERE station_id in (" . $station_id . ") AND COL_PROP_MODE != \"SAT\"" + "SELECT distinct LOWER(`COL_BAND`) as `COL_BAND` FROM `".$this->config->item('table_name')."` WHERE station_id = ? AND COL_PROP_MODE != \"SAT\"", + array($station_id) ); $worked_slots = array(); foreach($data->result() as $row){ @@ -453,7 +457,8 @@ function get_worked_bands_oqrs($station_id) { } $SAT_data = $this->db->query( - "SELECT distinct LOWER(`COL_PROP_MODE`) as `COL_PROP_MODE` FROM `".$this->config->item('table_name')."` WHERE station_id in (" . $station_id . ") AND COL_PROP_MODE = \"SAT\"" + "SELECT distinct LOWER(`COL_PROP_MODE`) as `COL_PROP_MODE` FROM `".$this->config->item('table_name')."` WHERE station_id = ? AND COL_PROP_MODE = \"SAT\"", + array($station_id) ); foreach($SAT_data->result() as $row){ diff --git a/application/models/Cat.php b/application/models/Cat.php index 2360217b5..50cc5a144 100644 --- a/application/models/Cat.php +++ b/application/models/Cat.php @@ -157,8 +157,9 @@ function radios() { } function radio_status($id) { - $sql = 'SELECT * FROM `cat` WHERE id = ' . $id . ' and user_id =' . $this->session->userdata('user_id'); - return $this->db->query($sql); + $this->db->where('id', (int) $id); + $this->db->where('user_id', (int) $this->session->userdata('user_id')); + return $this->db->get('cat'); } // Return recent radio status for a specific user_id (no session required, for public widgets) diff --git a/application/models/Contesting_model.php b/application/models/Contesting_model.php index 2850073a0..42c9a5b43 100644 --- a/application/models/Contesting_model.php +++ b/application/models/Contesting_model.php @@ -18,17 +18,17 @@ function getSessionQsos($qso) { if ($date == false) $date = new DateTime('today', new DateTimeZone('UTC')); $date = $date->format('Y-m-d H:i:s'); - $sql = "SELECT date_format(col_time_on, '%d-%m-%Y %H:%i:%s') as col_time_on, col_call, col_band, col_mode, - col_submode, col_rst_sent, col_rst_rcvd, coalesce(col_srx, '') col_srx, coalesce(col_srx_string, '') col_srx_string, - coalesce(col_stx, '') col_stx, coalesce(col_stx_string, '') col_stx_string, coalesce(col_gridsquare, '') col_gridsquare, - coalesce(col_vucc_grids, '') col_vucc_grids FROM " . - $this->config->item('table_name') . - " WHERE station_id = " . $station_id . - " AND COL_TIME_ON >= '" . $date . "'" . - " AND COL_CONTEST_ID = '" . $contestid . "'" . - " ORDER BY COL_PRIMARY_KEY ASC"; - - $data = $this->db->query($sql); + $this->db->select("date_format(col_time_on, '%d-%m-%Y %H:%i:%s') as col_time_on, col_call, col_band, col_mode, + col_submode, col_rst_sent, col_rst_rcvd, coalesce(col_srx, '') col_srx, coalesce(col_srx_string, '') col_srx_string, + coalesce(col_stx, '') col_stx, coalesce(col_stx_string, '') col_stx_string, coalesce(col_gridsquare, '') col_gridsquare, + coalesce(col_vucc_grids, '') col_vucc_grids", false); + $this->db->from($this->config->item('table_name')); + $this->db->where('station_id', (int) $station_id); + $this->db->where('COL_TIME_ON >=', $date); + $this->db->where('COL_CONTEST_ID', $contestid); + $this->db->order_by('COL_PRIMARY_KEY', 'ASC'); + + $data = $this->db->get(); return $data->result(); } @@ -37,7 +37,7 @@ function getSessionFreshQsos($contest_id) { $CI->load->model('Stations'); $station_id = $CI->Stations->find_active(); - $contestid = $contest_id; + $contestid = (string) $contest_id; // save contestid to debug // Get current date and time @@ -45,17 +45,17 @@ function getSessionFreshQsos($contest_id) { $now->modify('-1 minute'); $date = $now->format('Y-m-d H:i:s'); - $sql = "SELECT date_format(col_time_on, '%d-%m-%Y %H:%i:%s') as col_time_on, col_call, col_band, col_mode, - col_submode, col_rst_sent, col_rst_rcvd, coalesce(col_srx, '') col_srx, coalesce(col_srx_string, '') col_srx_string, - coalesce(col_stx, '') col_stx, coalesce(col_stx_string, '') col_stx_string, coalesce(col_gridsquare, '') col_gridsquare, - coalesce(col_vucc_grids, '') col_vucc_grids FROM " . - $this->config->item('table_name') . - " WHERE station_id = " . $station_id . - " AND COL_TIME_ON >= '" . $date . "'" . - " AND COL_CONTEST_ID = '" . $contestid . "'" . - " ORDER BY COL_PRIMARY_KEY ASC"; + $this->db->select("date_format(col_time_on, '%d-%m-%Y %H:%i:%s') as col_time_on, col_call, col_band, col_mode, + col_submode, col_rst_sent, col_rst_rcvd, coalesce(col_srx, '') col_srx, coalesce(col_srx_string, '') col_srx_string, + coalesce(col_stx, '') col_stx, coalesce(col_stx_string, '') col_stx_string, coalesce(col_gridsquare, '') col_gridsquare, + coalesce(col_vucc_grids, '') col_vucc_grids", false); + $this->db->from($this->config->item('table_name')); + $this->db->where('station_id', (int) $station_id); + $this->db->where('COL_TIME_ON >=', $date); + $this->db->where('COL_CONTEST_ID', $contestid); + $this->db->order_by('COL_PRIMARY_KEY', 'ASC'); - $data = $this->db->query($sql); + $data = $this->db->get(); return $data->result(); } @@ -65,9 +65,8 @@ function getSession() { $CI->load->model('Stations'); $station_id = $CI->Stations->find_active(); - $sql = "SELECT * from contest_session where station_id = " . $station_id; - - $data = $this->db->query($sql); + $this->db->where('station_id', (int) $station_id); + $data = $this->db->get('contest_session'); return $data->row(); } @@ -79,9 +78,8 @@ function deleteSession() { $CI->load->model('Stations'); $station_id = $CI->Stations->find_active(); - $sql = "delete from contest_session where station_id = " . $station_id; - - $this->db->query($sql); + $this->db->where('station_id', (int) $station_id); + $this->db->delete('contest_session'); return; } @@ -118,9 +116,8 @@ function setSession() { $data['copytodok'] = xss_clean($this->input->post('copyexchangeto')); } - $sql = "SELECT * from contest_session where station_id = " . $station_id; - - $querydata = $this->db->query($sql); + $this->db->where('station_id', (int) $station_id); + $querydata = $this->db->get('contest_session'); if ($querydata->num_rows() == 0) { $this->db->insert('contest_session', $data); @@ -169,16 +166,14 @@ function getAllContests() { } function delete($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // Delete Contest $this->db->delete('contest', array('id' => $clean_id)); } function activate($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; $data = array( 'active' => '1', @@ -192,8 +187,7 @@ function activate($id) { } function deactivate($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; $data = array( 'active' => '0', @@ -216,12 +210,11 @@ function add() { } function contest($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; - $sql = "SELECT id, name, adifname, active FROM contest where id =" . $clean_id; - - $data = $this->db->query($sql); + $this->db->select('id, name, adifname, active'); + $this->db->where('id', $clean_id); + $data = $this->db->get('contest'); return ($data->row()); } @@ -233,7 +226,7 @@ function edit($id) { 'active' => xss_clean($this->input->post('active', true)), ); - $this->db->where('id', $id); + $this->db->where('id', (int) $id); $this->db->update('contest', $data); } @@ -290,6 +283,8 @@ function checkIfWorkedBefore($call, $band, $mode, $contest) { } function export_custom($from, $to, $contest_id, $station_id) { + $station_id = (int) $station_id; + $contest_id = (string) $contest_id; $this->db->select(''.$this->config->item('table_name').'.*, station_profile.*'); $this->db->from($this->config->item('table_name')); $this->db->where($this->config->item('table_name').'.station_id', $station_id); @@ -298,12 +293,12 @@ function export_custom($from, $to, $contest_id, $station_id) { if ($from != 0) { $from = DateTime::createFromFormat('Y-m-d', $from); $from = $from->format('Y-m-d'); - $this->db->where("date(".$this->config->item('table_name').".COL_TIME_ON) >= '".$from."'"); + $this->db->where('DATE('.$this->config->item('table_name').'.COL_TIME_ON) >= '.$this->db->escape($from), NULL, FALSE); } if ($to != 0) { $to = DateTime::createFromFormat('Y-m-d', $to); $to = $to->format('Y-m-d'); - $this->db->where("date(".$this->config->item('table_name').".COL_TIME_ON) <= '".$to."'"); + $this->db->where('DATE('.$this->config->item('table_name').'.COL_TIME_ON) <= '.$this->db->escape($to), NULL, FALSE); } $this->db->where($this->config->item('table_name').'.COL_CONTEST_ID', $contest_id); @@ -318,56 +313,59 @@ function export_custom($from, $to, $contest_id, $station_id) { function get_logged_contests2() { $CI =& get_instance(); $CI->load->model('Stations'); - $station_id = $CI->Stations->find_active(); + $station_id = (int) $CI->Stations->find_active(); - $sql = "select col_contest_id, min(date(col_time_on)) mindate, max(date(col_time_on)) maxdate, year(col_time_on) year, month(col_time_on) month - from " . $this->config->item('table_name') . " - where coalesce(COL_CONTEST_ID, '') <> '' - and station_id =" . $station_id; + $this->db->select('col_contest_id, min(date(col_time_on)) mindate, max(date(col_time_on)) maxdate, year(col_time_on) year, month(col_time_on) month', false); + $this->db->from($this->config->item('table_name')); + $this->db->where("coalesce(COL_CONTEST_ID, '') <> ''", NULL, FALSE); + $this->db->where('station_id', $station_id); + $this->db->group_by('COL_CONTEST_ID, year(col_time_on), month(col_time_on)', false); + $this->db->order_by('year(col_time_on)', 'DESC', false); - $sql .= " group by COL_CONTEST_ID , year(col_time_on), month(col_time_on) order by year(col_time_on) desc"; - - $data = $this->db->query($sql); + $data = $this->db->get(); return ($data->result()); } function get_logged_years($station_id) { - - $sql = "select distinct year(col_time_on) year - from " . $this->config->item('table_name') . " - where coalesce(COL_CONTEST_ID, '') <> '' - and station_id =" . $station_id; - - $sql .= " order by year(col_time_on) desc"; - - $data = $this->db->query($sql); + $station_id = (int) $station_id; + $this->db->distinct(); + $this->db->select('year(col_time_on) year', false); + $this->db->from($this->config->item('table_name')); + $this->db->where("coalesce(COL_CONTEST_ID, '') <> ''", NULL, FALSE); + $this->db->where('station_id', $station_id); + $this->db->order_by('year(col_time_on)', 'DESC', false); + $data = $this->db->get(); return $data->result(); } function get_logged_contests($station_id, $year) { - $sql = "select distinct col_contest_id - from " . $this->config->item('table_name') . " - where coalesce(COL_CONTEST_ID, '') <> '' - and station_id =" . $station_id . - " and year(col_time_on) ='" . $year . "'"; - - $sql .= " order by COL_CONTEST_ID asc"; - - $data = $this->db->query($sql); + $station_id = (int) $station_id; + $year = (int) $year; + $this->db->distinct(); + $this->db->select('col_contest_id'); + $this->db->from($this->config->item('table_name')); + $this->db->where("coalesce(COL_CONTEST_ID, '') <> ''", NULL, FALSE); + $this->db->where('station_id', $station_id); + $this->db->where('year(col_time_on)', $year, false); + $this->db->order_by('COL_CONTEST_ID', 'ASC'); + $data = $this->db->get(); return $data->result(); } function get_contest_dates($station_id, $year, $contestid) { - $sql = "select distinct (date(col_time_on)) date - from " . $this->config->item('table_name') . " - where coalesce(COL_CONTEST_ID, '') <> '' - and station_id =" . $station_id . - " and year(col_time_on) ='" . $year . "' and col_contest_id ='" . $contestid . "'"; - - $data = $this->db->query($sql); + $station_id = (int) $station_id; + $year = (int) $year; + $this->db->distinct(); + $this->db->select('date(col_time_on) date', false); + $this->db->from($this->config->item('table_name')); + $this->db->where("coalesce(COL_CONTEST_ID, '') <> ''", NULL, FALSE); + $this->db->where('station_id', $station_id); + $this->db->where('year(col_time_on)', $year, false); + $this->db->where('col_contest_id', $contestid); + $data = $this->db->get(); return $data->result(); } diff --git a/application/models/Counties.php b/application/models/Counties.php index ec2bf0fc9..001cf256a 100644 --- a/application/models/Counties.php +++ b/application/models/Counties.php @@ -31,13 +31,13 @@ function get_counties_summary() { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('uscounties'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; // Normalize county/state values so imported variants group consistently. $normalizedCountyExpression = "LOWER(TRIM(SUBSTRING_INDEX(COL_CNTY, ',', -1)))"; @@ -98,13 +98,13 @@ function get_counties($state, $confirmationtype) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('uscounties'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $normalizedCountySelect = "TRIM(SUBSTRING_INDEX(COL_CNTY, ',', -1))"; $normalizedCountyOrder = "LOWER(TRIM(SUBSTRING_INDEX(COL_CNTY, ',', -1)))"; diff --git a/application/models/Cq.php b/application/models/Cq.php index bf0fa515a..aea6b5356 100644 --- a/application/models/Cq.php +++ b/application/models/Cq.php @@ -1,6 +1,17 @@ sanitize_location_list($location_list); + if ($location_list === '') { + return array(); + } + $mode = $this->db->escape_str($postdata['mode']); $sql = "SELECT distinct col_cqz FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ") and col_cqz <= 40 and col_cqz <> ''"; if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; + $sql .= " and (col_mode = '" . $mode . "' or col_submode = '" . $mode . "')"; } $sql .= $this->addBandToQuery($band); @@ -93,7 +109,7 @@ function getCQWorked($location_list, $band, $postdata) { ") and col_cqz = thcv.col_cqz and col_cqz <> '' "; if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; + $sql .= " and (col_mode = '" . $mode . "' or col_submode = '" . $mode . "')"; } $sql .= $this->addBandToQuery($band); @@ -112,11 +128,16 @@ function getCQWorked($location_list, $band, $postdata) { * $postdata contains data from the form, in this case Lotw or QSL are used */ function getCQConfirmed($location_list, $band, $postdata) { + $location_list = $this->sanitize_location_list($location_list); + if ($location_list === '') { + return array(); + } + $mode = $this->db->escape_str($postdata['mode']); $sql = "SELECT distinct col_cqz FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ") and col_cqz <= 40 and col_cqz <> ''"; if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; + $sql .= " and (col_mode = '" . $mode . "' or col_submode = '" . $mode . "')"; } $sql .= $this->addBandToQuery($band); @@ -149,6 +170,7 @@ function addQslToQuery($postdata) { } function addBandToQuery($band) { + $band = $this->db->escape_str($band); $sql = ''; if ($band != 'All') { if ($band == 'SAT') { @@ -182,28 +204,33 @@ function get_cq_summary($bands, $postdata, $location_list) { } function getSummaryByBand($band, $postdata, $location_list) { + $location_list = $this->sanitize_location_list($location_list); + if ($location_list === '') { + return array((object) array('count' => 0)); + } + $mode = $this->db->escape_str($postdata['mode']); $sql = "SELECT count(distinct thcv.col_cqz) as count FROM " . $this->config->item('table_name') . " thcv"; $sql .= " where station_id in (" . $location_list . ') and col_cqz <= 40 and col_cqz > 0'; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('cq'); - - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_sanitized = array_map(array($this->db, 'escape_str'), $bandslots); + $bandslots_list = "'".implode("','",$bandslots_sanitized)."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; + $sql .= " and (col_mode = '" . $mode . "' or col_submode = '" . $mode . "')"; } $query = $this->db->query($sql); @@ -212,28 +239,33 @@ function getSummaryByBand($band, $postdata, $location_list) { } function getSummaryByBandConfirmed($band, $postdata, $location_list){ + $location_list = $this->sanitize_location_list($location_list); + if ($location_list === '') { + return array((object) array('count' => 0)); + } + $mode = $this->db->escape_str($postdata['mode']); $sql = "SELECT count(distinct thcv.col_cqz) as count FROM " . $this->config->item('table_name') . " thcv"; $sql .= " where station_id in (" . $location_list . ') and col_cqz <= 40 and col_cqz > 0'; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('cq'); - - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_sanitized = array_map(array($this->db, 'escape_str'), $bandslots); + $bandslots_list = "'".implode("','",$bandslots_sanitized)."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; + $sql .= " and (col_mode = '" . $mode . "' or col_submode = '" . $mode . "')"; } $sql .= $this->addQslToQuery($postdata); diff --git a/application/models/Dayswithqso_model.php b/application/models/Dayswithqso_model.php index 65a900a98..75248ebe9 100644 --- a/application/models/Dayswithqso_model.php +++ b/application/models/Dayswithqso_model.php @@ -13,7 +13,7 @@ function getDaysWithQso() return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select year(COL_TIME_ON) Year, COUNT(DISTINCT TO_DAYS(COL_TIME_ON)) as Days from " .$this->config->item('table_name'). " thcv @@ -169,7 +169,7 @@ function getDates() { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select distinct cast(col_time_on as date) as date from " .$this->config->item('table_name'). " thcv @@ -193,7 +193,7 @@ function getDaysOfWeek() return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "SELECT DAYNAME(col_time_off) AS weekday, COUNT(*) AS qsos FROM " . $this->config->item('table_name') . " WHERE WEEKDAY(col_time_off) BETWEEN 0 AND 6 AND station_id in (" . $location_list . ")" @@ -222,7 +222,7 @@ function getHistoryDays() $max_date_query = $this->db->query('SELECT MAX(DATE(col_time_off)) AS max_date FROM ' . $this->config->item('table_name')); $max_date = $max_date_query->row()->max_date; - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "WITH RECURSIVE all_dates AS ( SELECT ? AS date diff --git a/application/models/Dok.php b/application/models/Dok.php index 2f7fc297c..3f09ac7eb 100644 --- a/application/models/Dok.php +++ b/application/models/Dok.php @@ -91,9 +91,7 @@ function getDokWorked($location_list, $band, $postdata) { $sql = "SELECT DISTINCT COL_DARC_DOK FROM " . $this->config->item('table_name') . " thcv WHERE station_id IN (" . $location_list . ") AND COL_DARC_DOK <> '' AND COL_DARC_DOK <> 'NM'"; - if ($postdata['mode'] != 'All') { - $sql .= " AND (COL_MODE = '" . $postdata['mode'] . "' OR COL_SUBMODE = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addDokTypeToQuery($postdata['doks']); $sql .= $this->addBandToQuery($band); $sql .= " AND NOT EXISTS (SELECT 1 from " . $this->config->item('table_name') . @@ -112,9 +110,7 @@ function getDokWorked($location_list, $band, $postdata) { function getDokConfirmed($location_list, $band, $postdata) { $sql = "SELECT DISTINCT COL_DARC_DOK FROM " . $this->config->item('table_name') . " thcv WHERE station_id IN (" . $location_list . ") AND COL_DARC_DOK <> '' AND COL_DARC_DOK <> '' AND COL_DARC_DOK <> 'NM'"; - if ($postdata['mode'] != 'All') { - $sql .= " AND (COL_MODE = '" . $postdata['mode'] . "' or COL_SUBMODE = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addDokTypeToQuery($postdata['doks']); $sql .= $this->addBandToQuery($band); $sql .= $this->addQslToQuery($postdata); @@ -145,16 +141,25 @@ function addQslToQuery($postdata) { function addBandToQuery($band) { $sql = ''; if ($band != 'All') { + $safeBand = $this->db->escape_str($band); if ($band == 'SAT') { - $sql .= " AND COL_PROP_MODE ='" . $band . "'"; + $sql .= " AND COL_PROP_MODE ='" . $safeBand . "'"; } else { $sql .= " AND COL_PROP_MODE !='SAT'"; - $sql .= " AND col_BAND ='" . $band . "'"; + $sql .= " AND col_BAND ='" . $safeBand . "'"; } } return $sql; } + function addModeToQuery($mode) { + if ($mode == 'All') { + return ''; + } + $safeMode = $this->db->escape_str($mode); + return " AND (COL_MODE = '" . $safeMode . "' OR COL_SUBMODE = '" . $safeMode . "')"; + } + function addDokTypeToQuery($doks) { $sql = ''; if ($doks == 'dok') { @@ -187,15 +192,15 @@ function getSummaryByBand($band, $postdata, $location_list) { $sql = "SELECT count(distinct thcv.COL_DARC_DOK) AS count FROM " . $this->config->item('table_name') . " thcv"; $sql .= " WHERE station_id IN (" . $location_list . ') AND COL_DARC_DOK != "" AND COL_DARC_DOK <> "NM"'; if ($band == 'SAT') { - $sql .= " AND thcv.COL_PROP_MODE ='" . $band . "'"; + $sql .= " AND thcv.COL_PROP_MODE ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('dok'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " AND thcv.COL_BAND in (" . $bandslots_list . ")"; } else { $sql .= " AND thcv.COL_PROP_MODE !='SAT'"; - $sql .= " AND thcv.COL_BAND ='" . $band . "'"; + $sql .= " AND thcv.COL_BAND ='" . $this->db->escape_str($band) . "'"; } if ($postdata['doks'] == 'dok') { $sql .= " AND COL_DARC_DOK REGEXP '^[A-Z][0-9]{2}$'"; @@ -210,15 +215,15 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list){ $sql = "SELECT count(distinct thcv.COL_DARC_DOK) AS count FROM " . $this->config->item('table_name') . " thcv"; $sql .= " WHERE station_id IN (" . $location_list . ') AND COL_DARC_DOK != "" AND COL_DARC_DOK <> "NM"'; if ($band == 'SAT') { - $sql .= " AND thcv.COL_PROP_MODE ='" . $band . "'"; + $sql .= " AND thcv.COL_PROP_MODE ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('dok'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " AND thcv.COL_BAND in (" . $bandslots_list . ")"; } else { $sql .= " AND thcv.COL_PROP_MODE !='SAT'"; - $sql .= " AND thcv.COL_BAND ='" . $band . "'"; + $sql .= " AND thcv.COL_BAND ='" . $this->db->escape_str($band) . "'"; } if ($postdata['doks'] == 'dok') { $sql .= " AND COL_DARC_DOK REGEXP '^[A-Z][0-9]{2}$'"; diff --git a/application/models/Dxcc.php b/application/models/Dxcc.php index 4a1585beb..54a33609d 100644 --- a/application/models/Dxcc.php +++ b/application/models/Dxcc.php @@ -73,7 +73,7 @@ function get_dxcc_array($dxccArray, $bands, $postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $qsl = ""; if ($postdata['confirmed'] != NULL) { @@ -151,9 +151,7 @@ function getDxccBandConfirmed($location_list, $band, $postdata) { $sql .= $this->addBandToQuery($band); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addYearToQuery($postdata); $sql .= $this->addQslToQuery($postdata); @@ -181,9 +179,7 @@ function getDxccBandWorked($location_list, $band, $postdata) { $sql .= $this->addBandToQuery($band); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addYearToQuery($postdata); @@ -204,16 +200,25 @@ function getDxccBandWorked($location_list, $band, $postdata) { function addBandToQuery($band) { $sql = ''; if ($band != 'All') { + $safeBand = $this->db->escape_str($band); if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; + $sql .= " and col_prop_mode ='" . $safeBand . "'"; } else { $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; + $sql .= " and col_band ='" . $safeBand . "'"; } } return $sql; } + function addModeToQuery($mode) { + if ($mode == 'All') { + return ''; + } + $safeMode = $this->db->escape_str($mode); + return " and (col_mode = '" . $safeMode . "' or col_submode = '" . $safeMode . "')"; + } + function addYearToQuery($postdata) { $sql = ''; if (!empty($postdata['year']) && $postdata['year'] !== 'All') { @@ -230,7 +235,7 @@ function get_worked_years() { if (!$logbooks_locations_array) { return []; } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "SELECT DISTINCT YEAR(col_time_on) as year FROM " . $this->config->item('table_name') . " WHERE station_id IN (" . $location_list . ") AND col_dxcc > 0 AND col_time_on IS NOT NULL ORDER BY year DESC"; $query = $this->db->query($sql); @@ -246,7 +251,7 @@ function fetchDxcc($postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select adif, prefix, name, cont, date(end) Enddate, date(start) Startdate, lat, `long` from dxcc_entities"; @@ -254,19 +259,9 @@ function fetchDxcc($postdata) { if ($postdata['notworked'] == NULL) { $sql .= " join (select col_dxcc from " . $this->config->item('table_name') . " where station_id in (" . $location_list . ") and col_dxcc > 0"; - if ($postdata['band'] != 'All') { - if ($postdata['band'] == 'SAT') { - $sql .= " and col_prop_mode ='" . $postdata['band'] . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $postdata['band'] . "'"; - } - } + $sql .= $this->addBandToQuery($postdata['band']); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= ' group by col_dxcc) x on dxcc_entities.adif = x.col_dxcc'; } @@ -295,9 +290,7 @@ function getDxccWorked($location_list, $postdata) { $sql .= $this->addBandToQuery($postdata['band']); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addYearToQuery($postdata); @@ -305,9 +298,7 @@ function getDxccWorked($location_list, $postdata) { $sql .= $this->addBandToQuery($postdata['band']); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addYearToQuery($postdata); @@ -340,9 +331,7 @@ function getDxccConfirmed($location_list, $postdata) { $sql .= $this->addBandToQuery($postdata['band']); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addYearToQuery($postdata); $sql .= $this->addQslToQuery($postdata); @@ -429,7 +418,7 @@ function get_dxcc_summary($bands, $postdata) return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); foreach ($bands as $band) { $worked = $this->getSummaryByBand($band, $postdata, $location_list); @@ -455,24 +444,22 @@ function getSummaryByBand($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ") and col_dxcc > 0"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('dxcc'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); if ($postdata['includedeleted'] == NULL) { $sql .= " and d.end is null"; @@ -493,24 +480,22 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('dxcc'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addQslToQuery($postdata); diff --git a/application/models/Ffma_model.php b/application/models/Ffma_model.php index b78f7b9f5..cd9aea9cd 100644 --- a/application/models/Ffma_model.php +++ b/application/models/Ffma_model.php @@ -43,7 +43,7 @@ function get_lotw() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -62,7 +62,7 @@ function get_paper() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -81,7 +81,7 @@ function get_worked() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -99,7 +99,7 @@ function get_vucc_lotw() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') @@ -131,7 +131,7 @@ function get_vucc_paper() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') @@ -163,7 +163,7 @@ function get_vucc_worked() { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') diff --git a/application/models/Gmdxsummer_model.php b/application/models/Gmdxsummer_model.php index 4d7dfe2ca..17be4832e 100644 --- a/application/models/Gmdxsummer_model.php +++ b/application/models/Gmdxsummer_model.php @@ -12,15 +12,18 @@ public function get_week($end_date, $band, $mode) $CI->load->model('logbooks_model'); $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + if (!$logbooks_locations_array) { + return 0; + } + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $query = $this->db->query(" SELECT COUNT(DISTINCT SUBSTRING(COL_GRIDSQUARE, 1, 4)) AS count FROM " . $table_name . " - WHERE station_id in (" . $location_list . ") AND COL_MODE = '" . $mode . "' AND COL_BAND = '" . $band . "' + WHERE station_id in (" . $location_list . ") AND COL_MODE = ? AND COL_BAND = ? AND COL_GRIDSQUARE IS NOT NULL AND COL_GRIDSQUARE != '' - AND (COL_TIME_ON >= '" . self::START_DATE . "' AND COL_TIME_ON <= '" . $end_date . "') - "); + AND (COL_TIME_ON >= ? AND COL_TIME_ON <= ?) + ", array($mode, $band, self::START_DATE, $end_date)); return $query->row()->count; } @@ -33,15 +36,18 @@ public function get_week_voice($end_date, $band) $CI->load->model('logbooks_model'); $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + if (!$logbooks_locations_array) { + return 0; + } + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $query = $this->db->query(" SELECT COUNT(DISTINCT SUBSTRING(COL_GRIDSQUARE, 1, 4)) AS count FROM " . $table_name . " - WHERE station_id in (".$location_list.") AND COL_MODE IN ('SSB', 'AM', 'FM') AND COL_BAND = '" . $band . "' + WHERE station_id in (".$location_list.") AND COL_MODE IN ('SSB', 'AM', 'FM') AND COL_BAND = ? AND COL_GRIDSQUARE IS NOT NULL AND COL_GRIDSQUARE != '' - AND (COL_TIME_ON >= '" . self::START_DATE . "' AND COL_TIME_ON <= '" . $end_date . "') - "); + AND (COL_TIME_ON >= ? AND COL_TIME_ON <= ?) + ", array($band, self::START_DATE, $end_date)); return $query->row()->count; @@ -55,15 +61,18 @@ public function get_week_digital($end_date, $band) $CI->load->model('logbooks_model'); $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + if (!$logbooks_locations_array) { + return 0; + } + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $query = $this->db->query(" SELECT COUNT(DISTINCT SUBSTRING(COL_GRIDSQUARE, 1, 4)) AS count FROM " . $table_name . " - WHERE station_id in (".$location_list.") AND COL_MODE NOT IN ('CW', 'FM', 'SSB', 'AM') AND COL_BAND = '" . $band . "' + WHERE station_id in (".$location_list.") AND COL_MODE NOT IN ('CW', 'FM', 'SSB', 'AM') AND COL_BAND = ? AND COL_GRIDSQUARE IS NOT NULL AND COL_GRIDSQUARE != '' - AND (COL_TIME_ON >= '" . self::START_DATE . "' AND COL_TIME_ON <= '" . $end_date . "') - "); + AND (COL_TIME_ON >= ? AND COL_TIME_ON <= ?) + ", array($band, self::START_DATE, $end_date)); return $query->row()->count; } @@ -76,9 +85,12 @@ public function get_week_combined($end_date, $band) $CI->load->model('logbooks_model'); $logbooks_locations_array = $CI->logbooks_model->list_logbook_relationships($this->session->userdata('active_station_logbook')); - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + if (!$logbooks_locations_array) { + return 0; + } + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); - $query = $this->db->query(" + $query = $this->db->query(" SELECT COUNT(DISTINCT CONCAT( UPPER(SUBSTRING(COL_GRIDSQUARE, 1, 4)), '-', @@ -89,10 +101,10 @@ public function get_week_combined($end_date, $band) END )) AS count FROM " . $table_name . " - WHERE station_id in (".$location_list.") AND COL_BAND = '" . $band . "' + WHERE station_id in (".$location_list.") AND COL_BAND = ? AND COL_GRIDSQUARE IS NOT NULL AND COL_GRIDSQUARE != '' - AND (COL_TIME_ON >= '" . self::START_DATE . "' AND COL_TIME_ON <= '" . $end_date . "') - "); + AND (COL_TIME_ON >= ? AND COL_TIME_ON <= ?) + ", array($band, self::START_DATE, $end_date)); return $query->row()->count; } diff --git a/application/models/Gridmap_model.php b/application/models/Gridmap_model.php index 6581b37aa..da8872a74 100644 --- a/application/models/Gridmap_model.php +++ b/application/models/Gridmap_model.php @@ -14,7 +14,10 @@ function get_band_confirmed($band, $mode, $qsl, $lotw, $eqsl, $qrz, $sat, $logbo return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,6) as GRID_SQUARES, COL_BAND FROM ' .$this->config->item('table_name') @@ -54,7 +57,10 @@ function get_band($band, $mode, $qsl, $lotw, $eqsl, $qrz, $sat, $logbooks_locati return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,6) as GRID_SQUARES, COL_BAND FROM ' .$this->config->item('table_name') @@ -92,7 +98,10 @@ function get_band_worked_vucc_squares($band, $mode, $qsl, $lotw, $eqsl, $qrz, $s return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct COL_VUCC_GRIDS, COL_BAND FROM ' .$this->config->item('table_name') @@ -130,7 +139,10 @@ function get_band_confirmed_vucc_squares($band, $mode, $qsl, $lotw, $eqsl, $qrz, return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); + $band = $this->db->escape_str($band); + $mode = $this->db->escape_str($mode); + $sat = $this->db->escape_str($sat); $sql = 'SELECT distinct COL_VUCC_GRIDS, COL_BAND FROM ' .$this->config->item('table_name') @@ -198,7 +210,7 @@ function get_worked_modes() { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // get all worked modes from database $data = $this->db->query( diff --git a/application/models/Gridmaster_model.php b/application/models/Gridmaster_model.php index 99c7debf5..2178cae54 100644 --- a/application/models/Gridmaster_model.php +++ b/application/models/Gridmaster_model.php @@ -75,7 +75,7 @@ function get_lotw($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -94,7 +94,7 @@ function get_paper($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -113,7 +113,7 @@ function get_worked($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct substring(COL_GRIDSQUARE,1,4) as GRID_SQUARES FROM ' .$this->config->item('table_name') @@ -131,7 +131,7 @@ function get_vucc_lotw($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') @@ -163,7 +163,7 @@ function get_vucc_paper($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') @@ -195,7 +195,7 @@ function get_vucc_worked($dxcc) { if (!$logbooks_locations_array) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = 'SELECT distinct COL_VUCC_GRIDS as VUCC_GRIDS FROM ' .$this->config->item('table_name') diff --git a/application/models/Iota.php b/application/models/Iota.php index 895298d62..58603e11f 100644 --- a/application/models/Iota.php +++ b/application/models/Iota.php @@ -11,7 +11,7 @@ function get_iota_array($iotaArray, $bands, $postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); foreach ($bands as $band) { // Looping through bands and iota to generate the array needed for display foreach ($iotaArray as $iota) { @@ -74,9 +74,7 @@ function getIotaBandConfirmed($location_list, $band, $postdata) { ") and thcv.col_iota is not null and (col_qsl_rcvd = 'Y' or col_lotw_qsl_rcvd = 'Y')"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addBandToQuery($band); @@ -97,9 +95,7 @@ function getIotaBandWorked($location_list, $band, $postdata) { where station_id in (' . $location_list . ') and thcv.col_iota is not null'; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addBandToQuery($band); @@ -123,7 +119,7 @@ function fetchIota($postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select tag, name, prefix, dxccid, status, lat1, lat2, lon1, lon2 from iota where 1=1"; @@ -136,19 +132,9 @@ function fetchIota($postdata) { if ($postdata['notworked'] == NULL) { $sql .= " and exists (select 1 from " . $this->config->item('table_name') . " where station_id in (". $location_list . ") and col_iota = iota.tag"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); - if ($postdata['band'] != 'All') { - if ($postdata['band'] == 'SAT') { - $sql .= " and col_prop_mode ='" . $postdata['band'] . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $postdata['band'] . "'"; - } - } + $sql .= $this->addBandToQuery($postdata['band']); $sql .= ")"; } @@ -166,9 +152,7 @@ function getIotaWorked($location_list, $postdata) { and not exists (select 1 from ". $this->config->item('table_name') . " where station_id in (" . $location_list . ") and col_iota = thcv.col_iota"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addBandToQuery($postdata['band']); @@ -180,9 +164,7 @@ function getIotaWorked($location_list, $postdata) { $sql .= " and coalesce(iota.status, '') <> 'D'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addContinentsToQuery($postdata); @@ -198,9 +180,7 @@ function getIotaConfirmed($location_list, $postdata) { ") and thcv.col_iota is not null and (col_qsl_rcvd = 'Y' or col_lotw_qsl_rcvd = 'Y')"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); if ($postdata['includedeleted'] == NULL) { $sql .= " and coalesce(iota.status, '') <> 'D'"; @@ -261,7 +241,7 @@ function get_iota_summary($bands, $postdata) return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); foreach ($bands as $band) { $worked = $this->getSummaryByBand($band, $postdata, $location_list); @@ -287,28 +267,26 @@ function getSummaryByBand($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('iota'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } if ($postdata['includedeleted'] == NULL) { $sql .= " and coalesce(iota.status, '') <> 'D'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addContinentsToQuery($postdata); @@ -325,28 +303,26 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('iota'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } if ($postdata['includedeleted'] == NULL) { $sql .= " and coalesce(iota.status, '') <> 'D'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addContinentsToQuery($postdata); @@ -360,14 +336,23 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list) function addBandToQuery($band) { $sql = ''; if ($band != 'All') { + $safeBand = $this->db->escape_str($band); if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; + $sql .= " and col_prop_mode ='" . $safeBand . "'"; } else { $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; + $sql .= " and col_band ='" . $safeBand . "'"; } } return $sql; } + + function addModeToQuery($mode) { + if ($mode == 'All') { + return ''; + } + $safeMode = $this->db->escape_str($mode); + return " and (col_mode = '" . $safeMode . "' or col_submode = '" . $safeMode . "')"; + } } ?> diff --git a/application/models/Labels_model.php b/application/models/Labels_model.php index 550cc8a54..2837ae365 100644 --- a/application/models/Labels_model.php +++ b/application/models/Labels_model.php @@ -95,15 +95,14 @@ function fetchPapertypes($user_id) { function fetchQsos($user_id) { - $qsl = "select count(*) count, station_profile.station_profile_name, station_profile.station_callsign, station_profile.station_id, station_profile.station_gridsquare - from ". $this->config->item('table_name') . " as l - join station_profile on l.station_id = station_profile.station_id - where l.COL_QSL_SENT in ('R', 'Q') - and station_profile.user_id = " . $user_id . - " group by station_profile.station_profile_name, station_profile.station_callsign, station_profile.station_id, station_profile.station_gridsquare - order by station_profile.station_callsign"; - - $query = $this->db->query($qsl); + $this->db->select("count(*) count, station_profile.station_profile_name, station_profile.station_callsign, station_profile.station_id, station_profile.station_gridsquare", false); + $this->db->from($this->config->item('table_name') . ' as l'); + $this->db->join('station_profile', 'l.station_id = station_profile.station_id'); + $this->db->where_in('l.COL_QSL_SENT', array('R', 'Q')); + $this->db->where('station_profile.user_id', (int) $user_id); + $this->db->group_by('station_profile.station_profile_name, station_profile.station_callsign, station_profile.station_id, station_profile.station_gridsquare'); + $this->db->order_by('station_profile.station_callsign'); + $query = $this->db->get(); return $query->result(); } @@ -125,12 +124,15 @@ function getPaperType($ptype_id) { } function saveDefaultLabel($id) { - $sql = 'update label_types set useforprint = 0 where user_id = ' . $this->session->userdata('user_id'); - $this->db->query($sql); + $user_id = (int) $this->session->userdata('user_id'); + $cleanid = (int) $id; - $cleanid = xss_clean($id); - $sql = 'update label_types set useforprint = 1 where user_id = ' . $this->session->userdata('user_id') . ' and id = ' . $cleanid; - $this->db->query($sql); + $this->db->where('user_id', $user_id); + $this->db->update('label_types', array('useforprint' => 0)); + + $this->db->where('user_id', $user_id); + $this->db->where('id', $cleanid); + $this->db->update('label_types', array('useforprint' => 1)); } function export_printrequested($station_id = NULL) { diff --git a/application/models/Logbook_model.php b/application/models/Logbook_model.php index e9d894d76..e4f18122b 100755 --- a/application/models/Logbook_model.php +++ b/application/models/Logbook_model.php @@ -4313,14 +4313,20 @@ function import($record, $station_id = "0", $skipDuplicate = false, $markClublog $rx_pwr = NULL; } - if (isset($record['a_index'])) { + if (isset($record['a_index']) && $record['a_index'] !== '') { $input_a_index = filter_var($record['a_index'], FILTER_SANITIZE_NUMBER_INT); + if ($input_a_index === '' || $input_a_index === false) { + $input_a_index = NULL; + } } else { $input_a_index = NULL; } - if (isset($record['age'])) { + if (isset($record['age']) && $record['age'] !== '') { $input_age = filter_var($record['age'], FILTER_SANITIZE_NUMBER_INT); + if ($input_age === '' || $input_age === false) { + $input_age = NULL; + } } else { $input_age = NULL; } diff --git a/application/models/Lookup_model.php b/application/models/Lookup_model.php index ff362e6c2..3bc09686f 100644 --- a/application/models/Lookup_model.php +++ b/application/models/Lookup_model.php @@ -1,14 +1,33 @@ normalize_location_list($queryinfo['location_list']); + if ($queryinfo['location_list'] === '') { + return array(); + } $modes = $this->get_worked_modes($queryinfo['location_list']); return $this->getResultFromDatabase($queryinfo, $modes); } function getResultFromDatabase($queryinfo, $modes) { + $resultArray = array(); // Creating an empty array with all the bands and modes from the database foreach ($modes as $mode) { foreach ($queryinfo['bands'] as $band) { @@ -55,6 +74,11 @@ function getResultFromDatabase($queryinfo, $modes) { * Builds query depending on what we are searching for */ function getQueryData($queryinfo, $confirmedtype) { + $location_list = $this->normalize_location_list($queryinfo['location_list']); + if ($location_list === '') { + return array(); + } + $queryinfo['location_list'] = $location_list; // If user inputs longer grid than 4 chars, we use only the first 4 if (strlen($queryinfo['grid']) > 4) { $fixedgrid = substr($queryinfo['grid'], 0, 4); @@ -66,13 +90,13 @@ function getQueryData($queryinfo, $confirmedtype) { $sqlquerytypestring = ''; switch ($queryinfo['type']) { - case 'dxcc': $sqlquerytypestring .= " and col_dxcc = " . $queryinfo['dxcc']; break; - case 'iota': $sqlquerytypestring .= " and col_iota = '" . $queryinfo['iota'] . "'"; break; - case 'vucc': $sqlquerytypestring .= " and (col_gridsquare like '%" . $fixedgrid . "%' or col_vucc_grids like '%" . $fixedgrid . "%')" ; break; - case 'cq': $sqlquerytypestring .= " and col_cqz = " . $queryinfo['cqz']; break; - case 'was': $sqlquerytypestring .= " and col_state = '" . $queryinfo['was'] . "' and COL_DXCC in ('291', '6', '110')";; break; - case 'sota': $sqlquerytypestring .= " and col_sota_ref = '" . $queryinfo['sota'] . "'"; break; - case 'wwff': $sqlquerytypestring .= " and col_sig = 'WWFF' and col_sig_info = '" . $queryinfo['wwff'] . "'"; break; + case 'dxcc': $sqlquerytypestring .= " and col_dxcc = " . (int) $queryinfo['dxcc']; break; + case 'iota': $sqlquerytypestring .= " and col_iota = '" . $this->db->escape_str($queryinfo['iota']) . "'"; break; + case 'vucc': $sqlquerytypestring .= " and (col_gridsquare like '%" . $this->db->escape_like_str($fixedgrid) . "%' or col_vucc_grids like '%" . $this->db->escape_like_str($fixedgrid) . "%')" ; break; + case 'cq': $sqlquerytypestring .= " and col_cqz = " . (int) $queryinfo['cqz']; break; + case 'was': $sqlquerytypestring .= " and col_state = '" . $this->db->escape_str($queryinfo['was']) . "' and COL_DXCC in ('291', '6', '110')";; break; + case 'sota': $sqlquerytypestring .= " and col_sota_ref = '" . $this->db->escape_str($queryinfo['sota']) . "'"; break; + case 'wwff': $sqlquerytypestring .= " and col_sig = 'WWFF' and col_sig_info = '" . $this->db->escape_str($queryinfo['wwff']) . "'"; break; default: break; } @@ -83,7 +107,7 @@ function getQueryData($queryinfo, $confirmedtype) { } // Fetching info for all modes and bands except satellite - $sql = "SELECT distinct col_band, lower(col_mode) as col_mode FROM " . $this->config->item('table_name') . " thcv"; + $sql = "SELECT distinct col_band, lower(col_mode) as col_mode FROM " . $this->config->item('table_name') . " thcv"; $sql .= " where station_id in (" . $queryinfo['location_list'] . ")"; @@ -144,6 +168,10 @@ function getQueryData($queryinfo, $confirmedtype) { */ function get_worked_modes($location_list) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } // get all worked modes from database $data = $this->db->query( "SELECT distinct LOWER(`COL_MODE`) as `COL_MODE` FROM `" . $this->config->item('table_name') . "` WHERE station_id in (" . $location_list . ") order by COL_MODE ASC" diff --git a/application/models/Modes.php b/application/models/Modes.php index 66f40ac9b..2faed69ae 100644 --- a/application/models/Modes.php +++ b/application/models/Modes.php @@ -16,8 +16,7 @@ function active() { } function mode($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; $this->db->where('id', $clean_id); @@ -59,16 +58,14 @@ function edit() { } function delete($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // Delete Mode $this->db->delete('adif_modes', array('id' => $clean_id)); } function activate($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; $data = array( 'active' => '1', @@ -82,8 +79,7 @@ function activate($id) { } function deactivate($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; $data = array( 'active' => '0', diff --git a/application/models/Mostworked_model.php b/application/models/Mostworked_model.php index 96af9cab4..213d70041 100644 --- a/application/models/Mostworked_model.php +++ b/application/models/Mostworked_model.php @@ -16,7 +16,7 @@ function get_most_worked_callsigns($filters = array()) return array(); } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); // Set defaults $min_qsos = isset($filters['min_qsos']) ? intval($filters['min_qsos']) : 5; @@ -96,7 +96,7 @@ function get_modes() return array(); } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "SELECT DISTINCT COALESCE(col_submode, col_mode) as mode FROM " . $this->config->item('table_name') . " @@ -123,7 +123,7 @@ function get_satellites() return array(); } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "SELECT DISTINCT col_sat_name as satellite FROM " . $this->config->item('table_name') . " @@ -150,7 +150,7 @@ function get_bands() return array(); } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "SELECT DISTINCT col_band as band FROM " . $this->config->item('table_name') . " @@ -201,11 +201,11 @@ function get_callsign_details($callsign) return array(); } - $location_list = "'" . implode("','", $logbooks_locations_array) . "'"; + $location_ids = array_map('intval', $logbooks_locations_array); $this->db->select('col_time_on, col_band, col_mode, col_submode, col_rst_sent, col_rst_rcvd, col_country, col_qsl_sent, col_qsl_rcvd'); $this->db->from($this->config->item('table_name')); - $this->db->where('station_id IN (' . $location_list . ')', NULL, FALSE); + $this->db->where_in('station_id', $location_ids); $this->db->where('col_call', $callsign); $this->db->order_by('col_time_on', 'DESC'); diff --git a/application/models/Oqrs_model.php b/application/models/Oqrs_model.php index ca5d1a9e2..2d62e6081 100644 --- a/application/models/Oqrs_model.php +++ b/application/models/Oqrs_model.php @@ -1,21 +1,34 @@ db->where('oqrs', "1"); return $this->db->get('station_profile'); } function get_station_info($station_id) { - $station_id = $this->security->xss_clean($station_id); + $station_id = (int) $station_id; - $sql = 'select - count(*) as count, - min(col_time_on) as mindate, - max(col_time_on) as maxdate - from ' . $this->config->item('table_name') . ' where station_id = ' . $station_id; - - $query = $this->db->query($sql); + $this->db->select('count(*) as count, min(col_time_on) as mindate, max(col_time_on) as maxdate', false); + $this->db->where('station_id', $station_id); + $query = $this->db->get($this->config->item('table_name')); return $query->row(); } @@ -99,18 +112,26 @@ function getQueryDataGrouped($callsign) { */ function get_worked_modes($station_id) { + $station_id = (int) $station_id; // get all worked modes from database - $data = $this->db->query( - "SELECT distinct LOWER(`COL_MODE`) as `COL_MODE` FROM `" . $this->config->item('table_name') . "` WHERE station_id in (" . $station_id . ") order by COL_MODE ASC" - ); + $this->db->distinct(); + $this->db->select('LOWER(`COL_MODE`) as `COL_MODE`', false); + $this->db->from($this->config->item('table_name')); + $this->db->where('station_id', $station_id); + $this->db->order_by('COL_MODE', 'ASC'); + $data = $this->db->get(); $results = array(); foreach ($data->result() as $row) { array_push($results, $row->COL_MODE); } - $data = $this->db->query( - "SELECT distinct LOWER(`COL_SUBMODE`) as `COL_SUBMODE` FROM `" . $this->config->item('table_name') . "` WHERE station_id in (" . $station_id . ") and coalesce(COL_SUBMODE, '') <> '' order by COL_SUBMODE ASC" - ); + $this->db->distinct(); + $this->db->select('LOWER(`COL_SUBMODE`) as `COL_SUBMODE`', false); + $this->db->from($this->config->item('table_name')); + $this->db->where('station_id', $station_id); + $this->db->where("coalesce(COL_SUBMODE, '') <> ''", NULL, false); + $this->db->order_by('COL_SUBMODE', 'ASC'); + $data = $this->db->get(); foreach ($data->result() as $row) { if (!in_array($row, $results)) { array_push($results, $row->COL_SUBMODE); @@ -121,10 +142,16 @@ function get_worked_modes($station_id) } function getOqrsRequests($location_list) { - // Optimize SELECT to only fetch needed columns - $sql = 'select oqrs.id, oqrs.requestcallsign, oqrs.date, oqrs.time, oqrs.band, oqrs.mode, oqrs.status, oqrs.note, oqrs.email, oqrs.qslroute, station_profile.station_callsign, station_profile.station_profile_name from oqrs join station_profile on oqrs.station_id = station_profile.station_id where oqrs.station_id in (' . $location_list . ')'; + $location_ids = $this->normalize_location_ids($location_list); + if (empty($location_ids)) { + return array(); + } - $query = $this->db->query($sql); + $this->db->select('oqrs.id, oqrs.requestcallsign, oqrs.date, oqrs.time, oqrs.band, oqrs.mode, oqrs.status, oqrs.note, oqrs.email, oqrs.qslroute, station_profile.station_callsign, station_profile.station_profile_name'); + $this->db->from('oqrs'); + $this->db->join('station_profile', 'oqrs.station_id = station_profile.station_id'); + $this->db->where_in('oqrs.station_id', $location_ids); + $query = $this->db->get(); return $query->result(); } @@ -196,11 +223,10 @@ function save_oqrs_request_grouped($postdata) { } function delete_oqrs_line($id) { - $sql = 'delete from oqrs where id =' . xss_clean((intval($id))); - - $query = $this->db->query($sql); + $this->db->where('id', (int) $id); + $this->db->delete('oqrs'); - return true; + return true; } @@ -230,17 +256,21 @@ function save_not_in_log($postdata) { } function check_oqrs($qsodata) { - // Optimize SELECT to only fetch COL_PRIMARY_KEY for matching - $sql = 'select COL_PRIMARY_KEY from ' . $this->config->item('table_name') . - ' where (col_band = \'' . $qsodata['band'] . '\' or col_prop_mode = \'' . $qsodata['band'] . '\') - and col_call = \'' . $qsodata['requestcallsign'] . '\' - and date(col_time_on) = \'' . $qsodata['date'] . '\' - and (col_mode = \'' . $qsodata['mode'] . '\' - or col_submode = \'' . $qsodata['mode'] . '\') - and timediff(time(col_time_on), \'' . $qsodata['time'] . '\') <= 3000 - and station_id = ' . $qsodata['station_id']; - - $query = $this->db->query($sql); + $this->db->select('COL_PRIMARY_KEY'); + $this->db->from($this->config->item('table_name')); + $this->db->group_start(); + $this->db->where('col_band', $qsodata['band']); + $this->db->or_where('col_prop_mode', $qsodata['band']); + $this->db->group_end(); + $this->db->where('col_call', $qsodata['requestcallsign']); + $this->db->where('date(col_time_on)', $qsodata['date']); + $this->db->group_start(); + $this->db->where('col_mode', $qsodata['mode']); + $this->db->or_where('col_submode', $qsodata['mode']); + $this->db->group_end(); + $this->db->where('timediff(time(col_time_on), ' . $this->db->escape($qsodata['time']) . ') <= 3000', NULL, false); + $this->db->where('station_id', (int) $qsodata['station_id']); + $query = $this->db->get(); if ($result = $query->result()) { $id = 0; @@ -271,7 +301,7 @@ function search_log($callsign) { $this->db->join('station_profile', 'station_profile.station_id = '.$this->config->item('table_name').'.station_id'); // always filter user. this ensures that no inaccesible QSOs will be returned $this->db->where('station_profile.user_id', $this->session->userdata('user_id')); - $this->db->where('COL_CALL like "%'.$callsign.'%"'); + $this->db->like('COL_CALL', $callsign); $this->db->order_by("COL_TIME_ON", "ASC"); $query = $this->db->get($this->config->item('table_name')); @@ -279,16 +309,22 @@ function search_log($callsign) { } function search_log_time_date($time, $date, $band, $mode) { - // Optimize SELECT to only fetch needed columns - $sql = 'select thcv.COL_PRIMARY_KEY, thcv.COL_CALL, thcv.COL_BAND, thcv.COL_MODE, thcv.COL_TIME_ON, station_profile.station_callsign from ' . $this->config->item('table_name') . ' thcv - join station_profile on thcv.station_id = station_profile.station_id where (col_band = \'' . $band . '\' or col_prop_mode = \'' . $band . '\') - and date(col_time_on) = \'' . $date . '\' - and (col_mode = \'' . $mode . '\' - or col_submode = \'' . $mode . '\') - and timediff(time(col_time_on), \'' . $time . '\') <= 3000 - and station_profile.user_id = '. $this->session->userdata('user_id'); - - return $this->db->query($sql);; + $this->db->select('thcv.COL_PRIMARY_KEY, thcv.COL_CALL, thcv.COL_BAND, thcv.COL_MODE, thcv.COL_TIME_ON, station_profile.station_callsign'); + $this->db->from($this->config->item('table_name') . ' thcv'); + $this->db->join('station_profile', 'thcv.station_id = station_profile.station_id'); + $this->db->group_start(); + $this->db->where('thcv.col_band', $band); + $this->db->or_where('thcv.col_prop_mode', $band); + $this->db->group_end(); + $this->db->where('date(thcv.col_time_on)', $date); + $this->db->group_start(); + $this->db->where('thcv.col_mode', $mode); + $this->db->or_where('thcv.col_submode', $mode); + $this->db->group_end(); + $this->db->where('timediff(time(thcv.col_time_on), ' . $this->db->escape($time) . ') <= 3000', NULL, false); + $this->db->where('station_profile.user_id', (int) $this->session->userdata('user_id')); + + return $this->db->get(); } function mark_oqrs_line_as_done($id) { @@ -302,9 +338,9 @@ function mark_oqrs_line_as_done($id) { } function getQslInfo($station_id) { - $sql = 'select oqrs_text from station_profile where station_id = ' . $station_id; - - $query = $this->db->query($sql); + $this->db->select('oqrs_text'); + $this->db->where('station_id', (int) $station_id); + $query = $this->db->get('station_profile'); if ($query->num_rows() > 0) { @@ -316,9 +352,9 @@ function getQslInfo($station_id) { } function getOqrsEmailSetting($station_id) { - $sql = 'select oqrs_email from station_profile where station_id = ' . $station_id; - - $query = $this->db->query($sql); + $this->db->select('oqrs_email'); + $this->db->where('station_id', (int) $station_id); + $query = $this->db->get('station_profile'); if ($query->num_rows() > 0) { @@ -379,9 +415,14 @@ public function searchOqrs($searchCriteria) : array { } public function oqrs_requests($location_list) { - if ($location_list != "") { - $sql = 'SELECT COUNT(*) AS number FROM oqrs JOIN station_profile ON oqrs.station_id = station_profile.station_id WHERE oqrs.station_id IN ('.$location_list.') AND status < 2'; - $query = $this->db->query($sql); + $location_ids = $this->normalize_location_ids($location_list); + if (!empty($location_ids)) { + $this->db->select('COUNT(*) AS number', false); + $this->db->from('oqrs'); + $this->db->join('station_profile', 'oqrs.station_id = station_profile.station_id'); + $this->db->where_in('oqrs.station_id', $location_ids); + $this->db->where('status <', 2); + $query = $this->db->get(); $row = $query->row(); return $row->number; } else { @@ -390,9 +431,12 @@ public function oqrs_requests($location_list) { } function getOqrsStationsFromSlug($logbook_id) { - $sql = 'SELECT station_callsign FROM `station_logbooks_relationship` JOIN `station_profile` ON station_logbooks_relationship.station_location_id = station_profile.station_id WHERE station_profile.oqrs = 1 AND station_logbook_id = '.$logbook_id.';'; - - $query = $this->db->query($sql); + $this->db->select('station_callsign'); + $this->db->from('station_logbooks_relationship'); + $this->db->join('station_profile', 'station_logbooks_relationship.station_location_id = station_profile.station_id'); + $this->db->where('station_profile.oqrs', 1); + $this->db->where('station_logbook_id', (int) $logbook_id); + $query = $this->db->get(); if ($query->num_rows() > 0) { return true; diff --git a/application/models/Qsl_model.php b/application/models/Qsl_model.php index 9a299170b..3c4e2c9a9 100644 --- a/application/models/Qsl_model.php +++ b/application/models/Qsl_model.php @@ -22,8 +22,7 @@ function getQsoWithQslList() function getQslForQsoId($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user $CI = &get_instance(); @@ -41,8 +40,7 @@ function getQslForQsoId($id) function saveQsl($qsoid, $filename) { - // Clean ID - $clean_id = $this->security->xss_clean($qsoid); + $clean_id = (int) $qsoid; // be sure that QSO belongs to user and user has write permission $CI = &get_instance(); @@ -63,8 +61,7 @@ function saveQsl($qsoid, $filename) function deleteQsl($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user and user has write permission $CI = &get_instance(); @@ -83,8 +80,7 @@ function deleteQsl($id) function getFilename($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user $CI = &get_instance(); @@ -120,7 +116,7 @@ function searchQsos($callsign) function addQsotoQsl($qsoid, $filename) { - $clean_qsoid = $this->security->xss_clean($qsoid); + $clean_qsoid = (int) $qsoid; $clean_filename = $this->security->xss_clean($filename); // be sure that QSO belongs to user diff --git a/application/models/Setup_model.php b/application/models/Setup_model.php index 61fd8790b..80484b667 100644 --- a/application/models/Setup_model.php +++ b/application/models/Setup_model.php @@ -10,37 +10,41 @@ function getCountryCount() { } function getLogbookCount() { - $userid = xss_clean($this->session->userdata('user_id')); + $userid = (int) $this->session->userdata('user_id'); // Count logbooks the user owns OR has been granted permissions to - $sql = "SELECT COUNT(DISTINCT sl.logbook_id) AS count - FROM station_logbooks sl - LEFT JOIN station_logbooks_permissions slp - ON slp.logbook_id = sl.logbook_id AND slp.user_id = {$userid} - WHERE sl.user_id = {$userid} OR slp.user_id = {$userid}"; - $query = $this->db->query($sql); + $this->db->select('COUNT(DISTINCT sl.logbook_id) AS count', false); + $this->db->from('station_logbooks sl'); + $this->db->join('station_logbooks_permissions slp', 'slp.logbook_id = sl.logbook_id AND slp.user_id = '.$this->db->escape($userid), 'left', false); + $this->db->group_start(); + $this->db->where('sl.user_id', $userid); + $this->db->or_where('slp.user_id', $userid); + $this->db->group_end(); + $query = $this->db->get(); return $query->row()->count; } function getLocationCount() { - $userid = xss_clean($this->session->userdata('user_id')); - $sql = 'select count(*) as count from station_profile where user_id =' . $userid; - $query = $this->db->query($sql); + $userid = (int) $this->session->userdata('user_id'); + $this->db->select('count(*) as count', false); + $this->db->where('user_id', $userid); + $query = $this->db->get('station_profile'); return $query->row()->count; } // Consolidated method to get all setup counts in one query function getAllSetupCounts() { - $userid = xss_clean($this->session->userdata('user_id')); + $userid = (int) $this->session->userdata('user_id'); + $userid_escaped = $this->db->escape($userid); $sql = "SELECT (SELECT COUNT(*) FROM dxcc_entities) as country_count, (SELECT COUNT(DISTINCT sl.logbook_id) FROM station_logbooks sl LEFT JOIN station_logbooks_permissions slp - ON slp.logbook_id = sl.logbook_id AND slp.user_id = {$userid} - WHERE sl.user_id = {$userid} OR slp.user_id = {$userid}) as logbook_count, - (SELECT COUNT(*) FROM station_profile WHERE user_id = {$userid}) as location_count"; + ON slp.logbook_id = sl.logbook_id AND slp.user_id = {$userid_escaped} + WHERE sl.user_id = {$userid_escaped} OR slp.user_id = {$userid_escaped}) as logbook_count, + (SELECT COUNT(*) FROM station_profile WHERE user_id = {$userid_escaped}) as location_count"; $query = $this->db->query($sql); $row = $query->row(); diff --git a/application/models/Sig.php b/application/models/Sig.php index e43ddc8fb..a347f6c40 100644 --- a/application/models/Sig.php +++ b/application/models/Sig.php @@ -1,6 +1,20 @@ normalize_location_list($logbooks_locations_array); $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('sig'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; // Build dynamic WHERE clause for filters $where_clause = " where col_sig <> '' and station_id in (" . $location_list . ") and col_band in (" . $bandslots_list . ")"; if (!empty($filters['band']) && strtolower($filters['band']) !== 'all') { - $where_clause .= " and LOWER(col_band) = '" . strtolower($filters['band']) . "'"; + $where_clause .= " and LOWER(col_band) = '" . $this->db->escape_str(strtolower($filters['band'])) . "'"; } if (!empty($filters['mode']) && strtolower($filters['mode']) !== 'all') { - $where_clause .= " and LOWER(col_mode) = '" . strtolower($filters['mode']) . "'"; + $where_clause .= " and LOWER(col_mode) = '" . $this->db->escape_str(strtolower($filters['mode'])) . "'"; } if (!empty($filters['confirmed_only']) && ($filters['confirmed_only'] === true || $filters['confirmed_only'] === 'true' || $filters['confirmed_only'] === 1 || $filters['confirmed_only'] === '1')) { @@ -88,21 +102,21 @@ function get_confirmed_sig_refs($type, $filters = array()) { return 0; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = $this->normalize_location_list($logbooks_locations_array); $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('sig'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $where_clause = " where col_sig = '" . $this->db->escape_str($type) . "' and station_id in (" . $location_list . ") and col_band in (" . $bandslots_list . ")"; $where_clause .= " and (COL_QSL_RCVD = 'Y' OR COL_EQSL_QSL_RCVD = 'Y' OR COL_LOTW_QSL_RCVD = 'Y')"; if (!empty($filters['band']) && strtolower($filters['band']) !== 'all') { - $where_clause .= " and LOWER(col_band) = '" . strtolower($filters['band']) . "'"; + $where_clause .= " and LOWER(col_band) = '" . $this->db->escape_str(strtolower($filters['band'])) . "'"; } if (!empty($filters['mode']) && strtolower($filters['mode']) !== 'all') { - $where_clause .= " and LOWER(col_mode) = '" . strtolower($filters['mode']) . "'"; + $where_clause .= " and LOWER(col_mode) = '" . $this->db->escape_str(strtolower($filters['mode'])) . "'"; } $sql = "select count(distinct col_sig_info) as confirmed_refs from " . $this->config->item('table_name') . $where_clause; @@ -124,20 +138,20 @@ function get_worked_sig_refs($type, $filters = array()) { return 0; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = $this->normalize_location_list($logbooks_locations_array); $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('sig'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $where_clause = " where col_sig = '" . $this->db->escape_str($type) . "' and station_id in (" . $location_list . ") and col_band in (" . $bandslots_list . ")"; if (!empty($filters['band']) && strtolower($filters['band']) !== 'all') { - $where_clause .= " and LOWER(col_band) = '" . strtolower($filters['band']) . "'"; + $where_clause .= " and LOWER(col_band) = '" . $this->db->escape_str(strtolower($filters['band'])) . "'"; } if (!empty($filters['mode']) && strtolower($filters['mode']) !== 'all') { - $where_clause .= " and LOWER(col_mode) = '" . strtolower($filters['mode']) . "'"; + $where_clause .= " and LOWER(col_mode) = '" . $this->db->escape_str(strtolower($filters['mode'])) . "'"; } $sql = "select count(distinct col_sig_info) as worked_refs from " . $this->config->item('table_name') . $where_clause; @@ -159,7 +173,7 @@ function get_worked_modes() { return array(); } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = $this->normalize_location_list($logbooks_locations_array); // Get distinct modes from SIG QSOs $sql = "SELECT DISTINCT UPPER(COL_MODE) as COL_MODE FROM " . $this->config->item('table_name') . diff --git a/application/models/Sstv_model.php b/application/models/Sstv_model.php index cd8ef0a1c..c18e41807 100644 --- a/application/models/Sstv_model.php +++ b/application/models/Sstv_model.php @@ -4,8 +4,7 @@ class Sstv_model extends CI_Model function saveSstvImages($qsoid, $filename) { - // Clean ID - $clean_id = $this->security->xss_clean($qsoid); + $clean_id = (int) $qsoid; // be sure that QSO belongs to user and user has write permission $CI = &get_instance(); @@ -26,8 +25,7 @@ function saveSstvImages($qsoid, $filename) function getSSTVFilename($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user $CI = &get_instance(); @@ -50,8 +48,7 @@ function getSSTVFilename($id) function deleteSstv($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user and user has write permission $CI = &get_instance(); @@ -71,8 +68,7 @@ function deleteSstv($id) function getSstvForQsoId($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); + $clean_id = (int) $id; // be sure that QSO belongs to user $CI = &get_instance(); diff --git a/application/models/Themes_model.php b/application/models/Themes_model.php index 5db6f37a6..ca9dbf108 100644 --- a/application/models/Themes_model.php +++ b/application/models/Themes_model.php @@ -28,12 +28,10 @@ function add() { function theme($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); - - $sql = "SELECT * FROM themes where id =" . $clean_id; + $clean_id = (int) $id; - $data = $this->db->query($sql); + $this->db->where('id', $clean_id); + $data = $this->db->get('themes'); return ($data->row()); } diff --git a/application/models/Timeline_model.php b/application/models/Timeline_model.php index 328f02db4..753498026 100644 --- a/application/models/Timeline_model.php +++ b/application/models/Timeline_model.php @@ -3,6 +3,38 @@ class Timeline_model extends CI_Model { + private function normalize_location_list($location_list) { + if (is_array($location_list)) { + return implode(',', array_map('intval', $location_list)); + } + $parts = explode(',', (string) $location_list); + $ids = array(); + foreach ($parts as $part) { + $trimmed = trim($part, " \t\n\r\0\x0B'\""); + if (is_numeric($trimmed)) { + $ids[] = (int) $trimmed; + } + } + return implode(',', array_values(array_unique($ids))); + } + + private function add_band_mode_filters($band, $mode) { + $sql = ''; + if ($band != 'All') { + $safeBand = $this->db->escape_str($band); + if ($band == 'SAT') { + $sql .= " and col_prop_mode ='" . $safeBand . "'"; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band ='" . $safeBand . "'"; + } + } + if ($mode != 'All') { + $sql .= " and col_mode ='" . $this->db->escape_str($mode) . "'"; + } + return $sql; + } + function get_timeline($band, $mode, $award, $qsl, $lotw, $eqsl) { $CI =& get_instance(); $CI->load->model('logbooks_model'); @@ -12,9 +44,10 @@ function get_timeline($band, $mode, $award, $qsl, $lotw, $eqsl) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = $this->normalize_location_list($logbooks_locations_array); - switch ($award) { + $result = array(); + switch ($award) { case 'dxcc': $result = $this->get_timeline_dxcc($band, $mode, $location_list, $qsl, $lotw, $eqsl); break; case 'was': $result = $this->get_timeline_was($band, $mode, $location_list, $qsl, $lotw, $eqsl); break; case 'iota': $result = $this->get_timeline_iota($band, $mode, $location_list, $qsl, $lotw, $eqsl); break; @@ -26,24 +59,16 @@ function get_timeline($band, $mode, $award, $qsl, $lotw, $eqsl) { } public function get_timeline_dxcc($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } $sql = "select min(date(COL_TIME_ON)) date, prefix, col_country, end, adif from " .$this->config->item('table_name'). " thcv join dxcc_entities on thcv.col_dxcc = dxcc_entities.adif where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); @@ -56,23 +81,15 @@ public function get_timeline_dxcc($band, $mode, $location_list, $qsl, $lotw, $eq } public function get_timeline_was($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } $sql = "select min(date(COL_TIME_ON)) date, col_state from " .$this->config->item('table_name'). " thcv where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= " and COL_DXCC in ('291', '6', '110')"; $sql .= " and COL_STATE in ('AK','AL','AR','AZ','CA','CO','CT','DE','FL','GA','HI','IA','ID','IL','IN','KS','KY','LA','MA','MD','ME','MI','MN','MO','MS','MT','NC','ND','NE','NH','NJ','NM','NV','NY','OH','OK','OR','PA','RI','SC','SD','TN','TX','UT','VA','VT','WA','WI','WV','WY')"; @@ -88,24 +105,16 @@ public function get_timeline_was($band, $mode, $location_list, $qsl, $lotw, $eqs } public function get_timeline_iota($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } $sql = "select min(date(COL_TIME_ON)) date, col_iota, name, prefix from " .$this->config->item('table_name'). " thcv join iota on thcv.col_iota = iota.tag where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); @@ -118,23 +127,15 @@ public function get_timeline_iota($band, $mode, $location_list, $qsl, $lotw, $eq } public function get_timeline_waz($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } $sql = "select min(date(COL_TIME_ON)) date, col_cqz from " .$this->config->item('table_name'). " thcv where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); @@ -181,24 +182,16 @@ function addQslToQuery($qsl, $lotw, $eqsl) { } public function get_timeline_vucc3($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } // $sql = "select min(date(COL_TIME_ON)) date, col_gridsquare from " $sql = "select min(date(COL_TIME_ON)) date, upper(substring(col_gridsquare, 1, 4)) gridsquare from " .$this->config->item('table_name'). " thcv where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); @@ -206,7 +199,9 @@ public function get_timeline_vucc3($band, $mode, $location_list, $qsl, $lotw, $e order by date desc"; $query = $this->db->query($sql); - $this->vucc_shit($band, $mode, $location_list, $qsl, $lotw, $eqsl); + if (method_exists($this, 'vucc_shit')) { + $this->vucc_shit($band, $mode, $location_list, $qsl, $lotw, $eqsl); + } return $query->result(); } @@ -279,24 +274,16 @@ public function get_timeline_vucc($band, $mode, $location_list, $qsl, $lotw, $eq } public function get_gridsquare($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } // $sql = "select min(date(COL_TIME_ON)) date, col_gridsquare from " $sql = "select min(COL_TIME_ON) date, upper(substring(col_gridsquare, 1, 4)) gridsquare from " .$this->config->item('table_name'). " thcv where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); @@ -309,24 +296,16 @@ public function get_gridsquare($band, $mode, $location_list, $qsl, $lotw, $eqsl) } public function get_vucc_grids($band, $mode, $location_list, $qsl, $lotw, $eqsl) { + $location_list = $this->normalize_location_list($location_list); + if ($location_list === '') { + return array(); + } // $sql = "select min(date(COL_TIME_ON)) date, col_gridsquare from " $sql = "select COL_TIME_ON date, upper(col_vucc_grids) gridsquare from " .$this->config->item('table_name'). " thcv where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } - else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } - - if ($mode != 'All') { - $sql .= " and col_mode ='" . $mode . "'"; - } + $sql .= $this->add_band_mode_filters($band, $mode); $sql .= $this->addQslToQuery($qsl, $lotw, $eqsl); diff --git a/application/models/User_model.php b/application/models/User_model.php index 1912cf832..3830973cc 100644 --- a/application/models/User_model.php +++ b/application/models/User_model.php @@ -99,9 +99,11 @@ function get_user_email_by_id($id) { } function hasQrzKey($user_id) { + $user_id = (int) $user_id; $this->db->where('station_profile.qrzapikey is not null'); $this->db->where('station_profile.qrzapikey != ""'); - $this->db->join('station_profile', 'station_profile.user_id = '.$user_id); + $this->db->join('station_profile', 'station_profile.user_id = '.$this->config->item('auth_table').'.user_id'); + $this->db->where('station_profile.user_id', $user_id); $query = $this->db->get($this->config->item('auth_table')); $ret = $query->row(); @@ -113,7 +115,7 @@ function hasQrzKey($user_id) { } function get_email_address($station_id) { - $this->db->where('station_id', $station_id); + $this->db->where('station_id', (int) $station_id); $this->db->join('station_profile', 'station_profile.user_id = '.$this->config->item('auth_table').'.user_id'); $query = $this->db->get($this->config->item('auth_table')); @@ -540,23 +542,35 @@ function update_session($id) { // If the user's session is corrupted in any way, it will clear the session function validate_session() { - if($this->session->userdata('user_id')) - { - $user_id = $this->session->userdata('user_id'); - $user_type = $this->session->userdata('user_type'); - $user_hash = $this->session->userdata('user_hash'); + if (!$this->session->userdata('user_id')) { + return 0; + } - if($this->_auth($user_id."-".$user_type, $user_hash)) { - // Freshen the session - $this->update_session($user_id); - return 1; - } else { - $this->clear_session(); - return 0; - } - } else { + $user_id = $this->session->userdata('user_id'); + $user_hash = $this->session->userdata('user_hash'); + + if (empty($user_hash)) { + $this->clear_session(); return 0; } + + // Re-read the user from the database and validate against persisted state. + $u = $this->get_by_id($user_id); + if ($u->num_rows() !== 1) { + $this->clear_session(); + return 0; + } + + $db_user_type = $u->row()->user_type; + + if ($this->_auth($user_id."-".$db_user_type, $user_hash)) { + // Freshen the session + $this->update_session($user_id); + return 1; + } + + $this->clear_session(); + return 0; } // FUNCTION: bool authenticate($username, $password) diff --git a/application/models/Vucc.php b/application/models/Vucc.php index 1d67bc3a2..5103edef3 100644 --- a/application/models/Vucc.php +++ b/application/models/Vucc.php @@ -108,7 +108,7 @@ function get_vucc_summary_col_vucc($band, $confirmationMethod) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select col_vucc_grids from " . $this->config->item('table_name') . @@ -125,14 +125,7 @@ function get_vucc_summary_col_vucc($band, $confirmationMethod) { $sql .= " and col_lotw_qsl_rcvd='Y'"; } - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + $sql .= $this->addBandToQuery($band, false); $query = $this->db->query($sql); return $query->result_array(); @@ -152,7 +145,7 @@ function get_vucc_summary($band, $confirmationMethod) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $sql = "select distinct upper(substring(log.col_gridsquare, 1, 4)) gridsquare from " . $this->config->item('table_name') . " log". @@ -172,16 +165,7 @@ function get_vucc_summary($band, $confirmationMethod) { $sql .= " and log.col_lotw_qsl_rcvd='Y'"; } - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and log.col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and log.col_prop_mode !='SAT'"; - $sql .= " and log.col_band ='" . $band . "'"; - } - } else { - $sql .= " and log.col_prop_mode !='SAT'"; - } + $sql .= $this->addBandToQuery($band, true); $query = $this->db->query($sql); return $query->result_array(); @@ -334,6 +318,18 @@ function getWorkedGridsList($band, $confirmationMethod) { return $workedGridArray; } + private function addBandToQuery($band, $withLogPrefix) { + $prefix = $withLogPrefix ? 'log.' : ''; + if ($band == 'All') { + return " and " . $prefix . "col_prop_mode !='SAT'"; + } + $safeBand = $this->db->escape_str($band); + if ($band == 'SAT') { + return " and " . $prefix . "col_prop_mode ='" . $safeBand . "'"; + } + return " and " . $prefix . "col_prop_mode !='SAT' and " . $prefix . "col_band ='" . $safeBand . "'"; + } + /* * Builds the array to display worked/confirmed vucc on dashboard page */ diff --git a/application/models/Waja.php b/application/models/Waja.php index 592cd9b48..ae21d9419 100644 --- a/application/models/Waja.php +++ b/application/models/Waja.php @@ -62,7 +62,7 @@ function get_waja_array($bands, $postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $wajaArray = explode(',', $this->prefectureString); @@ -150,9 +150,7 @@ function getWajaBandConfirmed($location_list, $band, $postdata) { $sql .= $this->addBandToQuery($band); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addQslToQuery($postdata); @@ -179,9 +177,7 @@ function getWajaBandWorked($location_list, $band, $postdata) { $sql .= $this->addBandToQuery($band); - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= " group by col_dxcc ) x on dxcc_entities.adif = x.col_dxcc";; @@ -200,16 +196,25 @@ function getWajaBandWorked($location_list, $band, $postdata) { function addBandToQuery($band) { $sql = ''; if ($band != 'All') { + $safeBand = $this->db->escape_str($band); if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; + $sql .= " and col_prop_mode ='" . $safeBand . "'"; } else { $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; + $sql .= " and col_band ='" . $safeBand . "'"; } } return $sql; } + function addModeToQuery($mode) { + if ($mode == 'All') { + return ''; + } + $safeMode = $this->db->escape_str($mode); + return " and (col_mode = '" . $safeMode . "' or col_submode = '" . $safeMode . "')"; + } + /* * Function returns all worked, but not confirmed states * $postdata contains data from the form, in this case Lotw or QSL are used @@ -218,9 +223,7 @@ function getWajaWorked($location_list, $band, $postdata) { $sql = "SELECT distinct LPAD(col_state, 2, '0') AS col_state FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ")"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -230,9 +233,7 @@ function getWajaWorked($location_list, $band, $postdata) { " where station_id in (". $location_list . ")" . " and col_state = thcv.col_state"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addBandToQuery($band); @@ -255,9 +256,7 @@ function getWajaConfirmed($location_list, $band, $postdata) { $sql = "SELECT distinct LPAD(col_state, 2, '0') AS col_state FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ")"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -305,7 +304,7 @@ function get_waja_summary($bands, $postdata) return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); foreach ($bands as $band) { $worked = $this->getSummaryByBand($band, $postdata, $location_list); @@ -330,23 +329,21 @@ function getSummaryByBand($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('waja'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and (thcv.col_band in (" . $bandslots_list . ") or thcv.col_prop_mode ='SAT')"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -362,23 +359,21 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('waja'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and (thcv.col_band in (" . $bandslots_list . ") or thcv.col_prop_mode ='SAT')"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addQslToQuery($postdata); diff --git a/application/models/Was.php b/application/models/Was.php index f53e8638f..1cec90e5d 100644 --- a/application/models/Was.php +++ b/application/models/Was.php @@ -13,7 +13,7 @@ function get_was_array($bands, $postdata) { return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); $stateArray = explode(',', $this->stateString); @@ -103,7 +103,7 @@ function get_was_summary($bands, $postdata) return null; } - $location_list = "'".implode("','",$logbooks_locations_array)."'"; + $location_list = implode(',', array_map('intval', $logbooks_locations_array)); foreach ($bands as $band) { $worked = $this->getSummaryByBand($band, $postdata, $location_list); @@ -128,24 +128,22 @@ function getSummaryByBand($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('was'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -161,24 +159,22 @@ function getSummaryByBandConfirmed($band, $postdata, $location_list) $sql .= " where station_id in (" . $location_list . ")"; if ($band == 'SAT') { - $sql .= " and thcv.col_prop_mode ='" . $band . "'"; + $sql .= " and thcv.col_prop_mode ='" . $this->db->escape_str($band) . "'"; } else if ($band == 'All') { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('was'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and thcv.col_band in (" . $bandslots_list . ")" . " and thcv.col_prop_mode !='SAT'"; } else { $sql .= " and thcv.col_prop_mode !='SAT'"; - $sql .= " and thcv.col_band ='" . $band . "'"; + $sql .= " and thcv.col_band ='" . $this->db->escape_str($band) . "'"; } - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addQslToQuery($postdata); @@ -197,9 +193,7 @@ function getWasWorked($location_list, $band, $postdata) { $sql = "SELECT distinct col_state FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ")"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -209,9 +203,7 @@ function getWasWorked($location_list, $band, $postdata) { " where station_id in (". $location_list . ")" . " and col_state = thcv.col_state"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addBandToQuery($band); @@ -234,9 +226,7 @@ function getWasConfirmed($location_list, $band, $postdata) { $sql = "SELECT distinct col_state FROM " . $this->config->item('table_name') . " thcv where station_id in (" . $location_list . ")"; - if ($postdata['mode'] != 'All') { - $sql .= " and (col_mode = '" . $postdata['mode'] . "' or col_submode = '" . $postdata['mode'] . "')"; - } + $sql .= $this->addModeToQuery($postdata['mode']); $sql .= $this->addStateToQuery(); @@ -272,18 +262,19 @@ function addQslToQuery($postdata) { function addBandToQuery($band) { $sql = ''; if ($band != 'All') { + $safeBand = $this->db->escape_str($band); if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; + $sql .= " and col_prop_mode ='" . $safeBand . "'"; } else { $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; + $sql .= " and col_band ='" . $safeBand . "'"; } } else { $this->load->model('bands'); $bandslots = $this->bands->get_worked_bands('was'); - $bandslots_list = "'".implode("','",$bandslots)."'"; + $bandslots_list = "'".implode("','", array_map(array($this->db, 'escape_str'), $bandslots))."'"; $sql .= " and col_band in (" . $bandslots_list . ")" . " and col_prop_mode !='SAT'"; @@ -291,6 +282,14 @@ function addBandToQuery($band) { return $sql; } + function addModeToQuery($mode) { + if ($mode == 'All') { + return ''; + } + $safeMode = $this->db->escape_str($mode); + return " and (col_mode = '" . $safeMode . "' or col_submode = '" . $safeMode . "')"; + } + function addStateToQuery() { $sql = ''; $sql .= " and COL_DXCC in ('291', '6', '110')"; diff --git a/application/views/interface_assets/footer.php b/application/views/interface_assets/footer.php index a9b8c4c68..1417ced15 100644 --- a/application/views/interface_assets/footer.php +++ b/application/views/interface_assets/footer.php @@ -2364,6 +2364,9 @@ function getUTCDateStamp(el) { let lastSuccessfulCatUpdateAt = null; let lockSatelliteFieldsToUserInput = false; + window.cloudlogLastCatData = null; + window.cloudlogLastCatRadioId = null; + const CAT_POLL_BASE_INTERVAL_MS = 3000; const CAT_POLL_MAX_INTERVAL_MS = 15000; const CAT_POLL_WARNING_THRESHOLD = 3; @@ -2418,6 +2421,8 @@ function getUTCDateStamp(el) { clearLoginError(); handleCATPollSuccess(); + window.cloudlogLastCatData = data || null; + window.cloudlogLastCatRadioId = requestedRadioID; updateUIWithCATData(data); }, error: () => { @@ -2616,6 +2621,8 @@ function getUTCDateStamp(el) { // Reset UI when no radio is selected const resetUI = () => { lockSatelliteFieldsToUserInput = false; + window.cloudlogLastCatData = null; + window.cloudlogLastCatRadioId = null; $("#sat_name, #sat_mode, #frequency, #frequency_rx, #band_rx").val(""); $("#selectPropagation").val($("#selectPropagation option:first").val()); // Clear CAT value cache so re-selecting a radio with identical values still repopulates fields. diff --git a/application/views/qso/components/previous_contacts.php b/application/views/qso/components/previous_contacts.php index 22b1d8f6f..2bde1e3fc 100644 --- a/application/views/qso/components/previous_contacts.php +++ b/application/views/qso/components/previous_contacts.php @@ -50,16 +50,20 @@ 1): ?> +lang->line('general_word_previous', false) ?: 'Previous'; + $next_label = $this->lang->line('general_word_next', false) ?: 'Next'; +?>