Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

added SQL injection prevention layers

Browse Source
This commit is contained in:
DB4SCW
2024-07-30 15:15:23 +00:00
parent c32d48f22f
commit 209424722b
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
application/controllers/Api.php
View File

@@ -273,6 +273,17 @@ class API extends CI_Controller {
$station_id = $obj['station_id'];
$goalpost = $obj['goalpost'];
//check if goalpost is numeric as an additional layer of SQL injection prevention
if(!is_numeric($goalpost))
{
http_response_code(400);
echo json_encode(['status' => 'failed', 'reason' => "Invalid goalpost."]);
return;
}
//make sure the goalpost is an integer
$goalpost = (int)$goalpost;
//load stations API
$this->load->model('stations');

2
application/models/Adif_data.php
View File

@@ -142,7 +142,7 @@ class adif_data extends CI_Model {
$this->db->select(''.$this->config->item('table_name').'.*, station_profile.*, dxcc_entities.name as station_country');
$this->db->from($this->config->item('table_name'));
$this->db->where($this->config->item('table_name').'.station_id', $station_id);
$this->db->where($this->config->item('table_name').".COL_PRIMARY_KEY > " . $goalpost); //only get values past the goalpost
$this->db->where($this->config->item('table_name').".COL_PRIMARY_KEY > " , $goalpost); //only get values past the goalpost
$this->db->order_by($this->config->item('table_name').".COL_TIME_ON", "ASC");
$this->db->join('station_profile', 'station_profile.station_id = '.$this->config->item('table_name').'.station_id');
$this->db->join('dxcc_entities', 'station_profile.station_dxcc = dxcc_entities.adif', 'left outer');