From 209424722b0df500908de775f1333f557c1cc1a5 Mon Sep 17 00:00:00 2001 From: DB4SCW Date: Tue, 30 Jul 2024 15:15:23 +0000 Subject: [PATCH] added SQL injection prevention layers --- application/controllers/Api.php | 11 +++++++++++ application/models/Adif_data.php | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/application/controllers/Api.php b/application/controllers/Api.php index def714896..063054aef 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -273,6 +273,17 @@ class API extends CI_Controller { $station_id = $obj['station_id']; $goalpost = $obj['goalpost']; + //check if goalpost is numeric as an additional layer of SQL injection prevention + if(!is_numeric($goalpost)) + { + http_response_code(400); + echo json_encode(['status' => 'failed', 'reason' => "Invalid goalpost."]); + return; + } + + //make sure the goalpost is an integer + $goalpost = (int)$goalpost; + //load stations API $this->load->model('stations'); diff --git a/application/models/Adif_data.php b/application/models/Adif_data.php index 6a5691df5..5e120b89a 100644 --- a/application/models/Adif_data.php +++ b/application/models/Adif_data.php @@ -142,7 +142,7 @@ class adif_data extends CI_Model { $this->db->select(''.$this->config->item('table_name').'.*, station_profile.*, dxcc_entities.name as station_country'); $this->db->from($this->config->item('table_name')); $this->db->where($this->config->item('table_name').'.station_id', $station_id); - $this->db->where($this->config->item('table_name').".COL_PRIMARY_KEY > " . $goalpost); //only get values past the goalpost + $this->db->where($this->config->item('table_name').".COL_PRIMARY_KEY > " , $goalpost); //only get values past the goalpost $this->db->order_by($this->config->item('table_name').".COL_TIME_ON", "ASC"); $this->db->join('station_profile', 'station_profile.station_id = '.$this->config->item('table_name').'.station_id'); $this->db->join('dxcc_entities', 'station_profile.station_dxcc = dxcc_entities.adif', 'left outer');