From afefae9829d123dc887322c0f7c902393a247517 Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:41:20 +0100 Subject: [PATCH 1/7] fixed old vulnerabilities and improved readability --- application/models/User_model.php | 114 ++++++++++++++++++------------ 1 file changed, 67 insertions(+), 47 deletions(-) diff --git a/application/models/User_model.php b/application/models/User_model.php index 3fc0e422b..a05d2cde4 100644 --- a/application/models/User_model.php +++ b/application/models/User_model.php @@ -293,31 +293,42 @@ class User_Model extends CI_Model { $this->db->insert($this->config->item('auth_table'), $data); $insert_id = $this->db->insert_id(); - $this->db->query("insert into bandxuser (bandid, userid) select bands.id, " . $insert_id . " from bands;"); - $this->db->query("insert into paper_types (user_id,paper_name,metric,width,orientation,height) SELECT ".$insert_id.", paper_name, metric, width, orientation,height FROM paper_types where user_id = 0;"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'map_custom','icon','qso','{\"icon\":\"fas fa-dot-circle\",\"color\":\"#ff0000\"}');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'map_custom','icon','qsoconfirm','{\"icon\":\"fas fa-dot-circle\",\"color\":\"#00ff00\"}');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'map_custom','icon','station','{\"icon\":\"fas fa-broadcast-tower\",\"color\":\"#0000ff\"}');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'map_custom','gridsquare','show','0');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'hamsat','hamsat_key','api','".xss_clean($user_hamsat_key)."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'hamsat','hamsat_key','workable','".xss_clean($user_hamsat_workable_only)."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','iota','show',".(xss_clean($user_iota_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','sota','show',".(xss_clean($user_sota_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','wwff','show',".(xss_clean($user_wwff_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','pota','show',".(xss_clean($user_pota_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','sig','show',".(xss_clean($user_sig_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','dok','show',".(xss_clean($user_dok_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_tab','station','show',".(xss_clean($user_station_to_qso_tab ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'dashboard','show_map','boolean','".xss_clean($dashboard_map ?? 'Y')."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'dashboard','show_dashboard_banner','boolean','".xss_clean($dashboard_banner ?? 'Y')."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'dashboard','show_dashboard_solar','boolean','".xss_clean($dashboard_solar ?? 'Y')."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'widget','on_air','enabled','".(xss_clean($on_air_widget_enabled ?? 'false'))."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'widget','on_air','display_last_seen','".(xss_clean($on_air_widget_display_last_seen ?? 'false'))."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'widget','on_air','display_only_most_recent_radio','".(xss_clean($on_air_widget_show_only_most_recent_radio ?? 'true'))."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'widget','qso','display_qso_time','".(xss_clean($qso_widget_display_qso_time ?? 'false'))."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'qso_db_search_priority','enable','boolean','".(xss_clean($user_qso_db_search_priority ?? 'Y'))."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $insert_id . ", 'dxwaterfall','enable','boolean','".xss_clean($user_dxwaterfall_enable ?? 'N')."');"); - $this->db->query("insert into user_options (user_id, option_type, option_name, option_key, option_value) values (?, 'qso_tab', 'map', 'show', ?)", [$insert_id, (int)(xss_clean($user_qso_show_map ?? 1))]); + $this->db->query("insert into bandxuser (bandid, userid) select bands.id, ? from bands;", [$insert_id]); + $this->db->query("insert into paper_types (user_id,paper_name,metric,width,orientation,height) SELECT ?, paper_name, metric, width, orientation,height FROM paper_types where user_id = 0;", [$insert_id]); + + // Default user_options rows — [option_type, option_name, option_key, option_value] + $user_options = [ + ['map_custom', 'icon', 'qso', '{"icon":"fas fa-dot-circle","color":"#ff0000"}'], + ['map_custom', 'icon', 'qsoconfirm', '{"icon":"fas fa-dot-circle","color":"#00ff00"}'], + ['map_custom', 'icon', 'station', '{"icon":"fas fa-broadcast-tower","color":"#0000ff"}'], + ['map_custom', 'gridsquare', 'show', '0'], + ['hamsat', 'hamsat_key', 'api', $user_hamsat_key], + ['hamsat', 'hamsat_key', 'workable', $user_hamsat_workable_only], + ['qso_tab', 'iota', 'show', (($user_iota_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'sota', 'show', (($user_sota_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'wwff', 'show', (($user_wwff_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'pota', 'show', (($user_pota_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'sig', 'show', (($user_sig_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'dok', 'show', (($user_dok_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'station', 'show', (($user_station_to_qso_tab ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'map', 'show', (int)(xss_clean($user_qso_show_map ?? 1))], + ['dashboard', 'show_map', 'boolean', $dashboard_map ?? 'Y'], + ['dashboard', 'show_dashboard_banner', 'boolean', $dashboard_banner ?? 'Y'], + ['dashboard', 'show_dashboard_solar', 'boolean', $dashboard_solar ?? 'Y'], + ['widget', 'on_air', 'enabled', $on_air_widget_enabled ?? 'false'], + ['widget', 'on_air', 'display_last_seen', $on_air_widget_display_last_seen ?? 'false'], + ['widget', 'on_air', 'display_only_most_recent_radio',$on_air_widget_show_only_most_recent_radio ?? 'true'], + ['widget', 'qso', 'display_qso_time', $qso_widget_display_qso_time ?? 'false'], + ['qso_db_search_priority', 'enable', 'boolean', $user_qso_db_search_priority ?? 'Y'], + ['dxwaterfall', 'enable', 'boolean', $user_dxwaterfall_enable ?? 'N'], + ]; + + foreach ($user_options as [$type, $name, $key, $value]) { + $this->db->query( + "INSERT INTO user_options (user_id, option_type, option_name, option_key, option_value) VALUES (?, ?, ?, ?, ?)", + [$insert_id, $type, $name, $key, $value] + ); + } return OK; } else { return EUSERNAMEEXISTS; @@ -374,28 +385,37 @@ class User_Model extends CI_Model { $qso_page_last_qso_count = xss_clean($fields['user_qso_page_last_qso_count']); $qso_page_last_qso_count = $qso_page_last_qso_count > QSO_PAGE_QSOS_COUNT_LIMIT ? QSO_PAGE_QSOS_COUNT_LIMIT : $qso_page_last_qso_count; - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'hamsat','hamsat_key','api','".xss_clean($fields['user_hamsat_key'])."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'hamsat','hamsat_key','workable','".xss_clean($fields['user_hamsat_workable_only'])."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','iota','show',".(xss_clean($fields['user_iota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','sota','show',".(xss_clean($fields['user_sota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','wwff','show',".(xss_clean($fields['user_wwff_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','pota','show',".(xss_clean($fields['user_pota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','sig','show',".(xss_clean($fields['user_sig_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','dok','show',".(xss_clean($fields['user_dok_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','station','show',".(xss_clean($fields['user_station_to_qso_tab'] ?? 'off') == "on" ? 1 : 0).");"); - $this->db->query("replace INTO user_options (user_id, option_type, option_name, option_key, option_value) VALUES (?, 'qso_tab', 'map', 'show', ?)", [$fields['id'], (int)(xss_clean($fields['user_qso_show_map'] ?? 1))] - ); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'widget','on_air','enabled','".(xss_clean($fields['on_air_widget_enabled'] ?? 'false'))."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'widget','on_air','display_last_seen','".(xss_clean($fields['on_air_widget_display_last_seen'] ?? 'false'))."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'widget','on_air','display_only_most_recent_radio','".(xss_clean($fields['on_air_widget_show_only_most_recent_radio'] ?? 'true'))."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'widget','qso','display_qso_time','".(xss_clean($fields['qso_widget_display_qso_time'] ?? 'false'))."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'dashboard','last_qso_count','count','".$dashboard_last_qso_count."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_tab','last_qso_count','count','".$qso_page_last_qso_count."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'dashboard','show_map','boolean','".xss_clean($fields['user_dashboard_map'] ?? 'Y')."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'dashboard','show_dashboard_banner','boolean','".xss_clean($fields['user_dashboard_banner'] ?? 'Y')."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'dashboard','show_dashboard_solar','boolean','".xss_clean($fields['user_dashboard_solar'] ?? 'N')."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'qso_db_search_priority','enable','boolean','".xss_clean($fields['user_qso_db_search_priority'] ?? 'Y')."');"); - $this->db->query("replace into user_options (user_id, option_type, option_name, option_key, option_value) values (" . $fields['id'] . ", 'dxwaterfall','enable','boolean','".xss_clean($fields['user_dxwaterfall_enable'] ?? 'N')."');"); + // Updated user_options rows — [option_type, option_name, option_key, option_value] + $user_options = [ + ['hamsat', 'hamsat_key', 'api', $fields['user_hamsat_key']], + ['hamsat', 'hamsat_key', 'workable', $fields['user_hamsat_workable_only']], + ['qso_tab', 'iota', 'show', (($fields['user_iota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'sota', 'show', (($fields['user_sota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'wwff', 'show', (($fields['user_wwff_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'pota', 'show', (($fields['user_pota_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'sig', 'show', (($fields['user_sig_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'dok', 'show', (($fields['user_dok_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'station', 'show', (($fields['user_station_to_qso_tab'] ?? 'off') == "on" ? 1 : 0)], + ['qso_tab', 'map', 'show', (int)($fields['user_qso_show_map'] ?? 1)], + ['qso_tab', 'last_qso_count', 'count', $qso_page_last_qso_count], + ['widget', 'on_air', 'enabled', $fields['on_air_widget_enabled'] ?? 'false'], + ['widget', 'on_air', 'display_last_seen', $fields['on_air_widget_display_last_seen'] ?? 'false'], + ['widget', 'on_air', 'display_only_most_recent_radio',$fields['on_air_widget_show_only_most_recent_radio'] ?? 'true'], + ['widget', 'qso', 'display_qso_time', $fields['qso_widget_display_qso_time'] ?? 'false'], + ['dashboard', 'last_qso_count', 'count', $dashboard_last_qso_count], + ['dashboard', 'show_map', 'boolean', $fields['user_dashboard_map'] ?? 'Y'], + ['dashboard', 'show_dashboard_banner', 'boolean', $fields['user_dashboard_banner'] ?? 'Y'], + ['dashboard', 'show_dashboard_solar', 'boolean', $fields['user_dashboard_solar'] ?? 'N'], + ['qso_db_search_priority', 'enable', 'boolean', $fields['user_qso_db_search_priority'] ?? 'Y'], + ['dxwaterfall', 'enable', 'boolean', $fields['user_dxwaterfall_enable'] ?? 'N'], + ]; + + foreach ($user_options as [$type, $name, $key, $value]) { + $this->db->query( + "REPLACE INTO user_options (user_id, option_type, option_name, option_key, option_value) VALUES (?, ?, ?, ?, ?)", + [$fields['id'], $type, $name, $key, $value] + ); + } $this->session->set_userdata('dashboard_last_qso_count', $dashboard_last_qso_count); $this->session->set_userdata('qso_page_last_qso_count', $qso_page_last_qso_count); $this->session->set_userdata('user_dashboard_map',xss_clean($fields['user_dashboard_map'] ?? 'Y')); From f9a7548b4a73164dbda98cf02f9f7b9fb9496b83 Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:47:52 +0100 Subject: [PATCH 2/7] clean xss clean --- application/controllers/Band.php | 76 ++++++++++++++++---------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/application/controllers/Band.php b/application/controllers/Band.php index 181287cef..17040f606 100644 --- a/application/controllers/Band.php +++ b/application/controllers/Band.php @@ -90,7 +90,7 @@ class Band extends CI_Controller { { $this->load->model('bands'); - $item_id_clean = $this->security->xss_clean($this->input->post('id')); + $item_id_clean = $this->input->post('id'); $band_query = $this->bands->getband($item_id_clean); @@ -104,12 +104,12 @@ class Band extends CI_Controller { public function saveupdatedband() { $this->load->model('bands'); - $id = $this->security->xss_clean($this->input->post('id', true)); - $band['band'] = $this->security->xss_clean($this->input->post('band', true)); - $band['bandgroup'] = $this->security->xss_clean($this->input->post('bandgroup', true)); - $band['ssbqrg'] = $this->security->xss_clean($this->input->post('ssbqrg', true)); - $band['dataqrg'] = $this->security->xss_clean($this->input->post('dataqrg', true)); - $band['cwqrg'] = $this->security->xss_clean($this->input->post('cwqrg', true)); + $id = $this->input->post('id', true); + $band['band'] = $this->input->post('band', true); + $band['bandgroup'] = $this->input->post('bandgroup', true); + $band['ssbqrg'] = $this->input->post('ssbqrg', true); + $band['dataqrg'] = $this->input->post('dataqrg', true); + $band['cwqrg'] = $this->input->post('cwqrg', true); $this->bands->saveupdatedband($id, $band); echo json_encode(array('message' => 'OK')); @@ -117,13 +117,13 @@ class Band extends CI_Controller { } public function delete() { - $id = $this->input->post('id'); + $id = $this->input->post('id', true); $this->load->model('bands'); $this->bands->delete($id); } public function activate() { - $id = $this->input->post('id'); + $id = $this->input->post('id', true); $this->load->model('bands'); $this->bands->activate($id); header('Content-Type: application/json'); @@ -132,7 +132,7 @@ class Band extends CI_Controller { } public function deactivate() { - $id = $this->input->post('id'); + $id = $this->input->post('id', true); $this->load->model('bands'); $this->bands->deactivate($id); header('Content-Type: application/json'); @@ -157,25 +157,25 @@ class Band extends CI_Controller { } public function saveBand() { - $id = $this->security->xss_clean($this->input->post('id')); - $band['status'] = $this->security->xss_clean($this->input->post('status')); - $band['cq'] = $this->security->xss_clean($this->input->post('cq')); - $band['dok'] = $this->security->xss_clean($this->input->post('dok')); - $band['dxcc'] = $this->security->xss_clean($this->input->post('dxcc')); - $band['helvetia'] = $this->security->xss_clean($this->input->post('helvetia')); - $band['iota'] = $this->security->xss_clean($this->input->post('iota')); - $band['jcc'] = $this->security->xss_clean($this->input->post('jcc')); - $band['pota'] = $this->security->xss_clean($this->input->post('pota')); - $band['rac'] = $this->security->xss_clean($this->input->post('rac')); - $band['sig'] = $this->security->xss_clean($this->input->post('sig')); - $band['sota'] = $this->security->xss_clean($this->input->post('sota')); - $band['uscounties'] = $this->security->xss_clean($this->input->post('uscounties')); - $band['wap'] = $this->security->xss_clean($this->input->post('wap')); - $band['wapc'] = $this->security->xss_clean($this->input->post('wapc')); - $band['was'] = $this->security->xss_clean($this->input->post('was')); - $band['wwff'] = $this->security->xss_clean($this->input->post('wwff')); - $band['vucc'] = $this->security->xss_clean($this->input->post('vucc')); - $band['waja'] = $this->security->xss_clean($this->input->post('waja')); + $id = $this->input->post('id', true); + $band['status'] = $this->input->post('status', true); + $band['cq'] = $this->input->post('cq', true); + $band['dok'] = $this->input->post('dok', true); + $band['dxcc'] = $this->input->post('dxcc', true); + $band['helvetia'] = $this->input->post('helvetia', true); + $band['iota'] = $this->input->post('iota', true); + $band['jcc'] = $this->input->post('jcc', true); + $band['pota'] = $this->input->post('pota', true); + $band['rac'] = $this->input->post('rac', true); + $band['sig'] = $this->input->post('sig', true); + $band['sota'] = $this->input->post('sota', true); + $band['uscounties'] = $this->input->post('uscounties', true); + $band['wap'] = $this->input->post('wap', true); + $band['wapc'] = $this->input->post('wapc', true); + $band['was'] = $this->input->post('was', true); + $band['wwff'] = $this->input->post('wwff', true); + $band['vucc'] = $this->input->post('vucc', true); + $band['waja'] = $this->input->post('waja', true); $this->load->model('bands'); $this->bands->saveBand($id, $band); @@ -186,8 +186,8 @@ class Band extends CI_Controller { } public function saveBandAward() { - $award = $this->security->xss_clean($this->input->post('award')); - $status = $this->security->xss_clean($this->input->post('status')); + $award = $this->input->post('award', true); + $status = $this->input->post('status', true); $this->load->model('bands'); $this->bands->saveBandAward($award, $status); @@ -198,8 +198,8 @@ class Band extends CI_Controller { } public function saveBandUnit() { - $unit = $this->security->xss_clean($this->input->post('unit')); - $band_id = $this->security->xss_clean($this->input->post('band_id')); + $unit = $this->input->post('unit', true); + $band_id = $this->input->post('band_id', true); $this->load->model('bands'); $band = $this->bands->getband($band_id)->row()->band; @@ -209,7 +209,7 @@ class Band extends CI_Controller { } public function deletebandedge() { - $id = $this->input->post('id'); + $id = $this->input->post('id', true); $this->load->model('bands'); $this->bands->deletebandedge($id); header('Content-Type: application/json'); @@ -220,10 +220,10 @@ class Band extends CI_Controller { public function saveBandEdge() { $this->load->model('bands'); - $id = $this->security->xss_clean($this->input->post('id', true)); - $frequencyfrom = $this->security->xss_clean($this->input->post('frequencyfrom', true)); - $frequencyto = $this->security->xss_clean($this->input->post('frequencyto', true)); - $mode = $this->security->xss_clean($this->input->post('mode', true)); + $id = $this->input->post('id', true); + $frequencyfrom = $this->input->post('frequencyfrom', true); + $frequencyto = $this->input->post('frequencyto', true); + $mode = $this->input->post('mode', true); if ((is_numeric($frequencyfrom)) && (is_numeric($frequencyfrom))) { $overlap=$this->bands->check4overlapEdges($id, $frequencyfrom, $frequencyto, $mode); if (!($overlap)) { From 77f34cd942512cedd215a764a90d66661c1049ec Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:50:21 +0100 Subject: [PATCH 3/7] add userid to band deletion --- application/controllers/Band.php | 3 ++- application/models/Bands.php | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/application/controllers/Band.php b/application/controllers/Band.php index 17040f606..a1857b462 100644 --- a/application/controllers/Band.php +++ b/application/controllers/Band.php @@ -118,8 +118,9 @@ class Band extends CI_Controller { public function delete() { $id = $this->input->post('id', true); + $userid = $this->session->userdata('user_id'); $this->load->model('bands'); - $this->bands->delete($id); + $this->bands->delete($id, $userid); } public function activate() { diff --git a/application/models/Bands.php b/application/models/Bands.php index 17b2cc588..213f86722 100644 --- a/application/models/Bands.php +++ b/application/models/Bands.php @@ -300,12 +300,8 @@ class Bands extends CI_Model { return true; } - function delete($id) { - // Clean ID - $clean_id = $this->security->xss_clean($id); - - // Delete Mode - $this->db->delete('bandxuser', array('id' => $clean_id)); + function delete($id, $userid) { + $this->db->delete('bandxuser', array('id' => $id, 'userid' => $userid)); } function saveBand($id, $band) { From 52b92ca8462a892d4f415a3768fdae087b6e605a Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:50:45 +0100 Subject: [PATCH 4/7] format code --- application/controllers/Band.php | 151 +++++++++++++++---------------- 1 file changed, 74 insertions(+), 77 deletions(-) diff --git a/application/controllers/Band.php b/application/controllers/Band.php index a1857b462..967cfd3df 100644 --- a/application/controllers/Band.php +++ b/application/controllers/Band.php @@ -1,4 +1,4 @@ -load->helper(array('form', 'url')); $this->load->model('user_model'); - if(!$this->user_model->authorize(2) || !clubaccess_check(9)) { $this->session->set_flashdata('error', __("You're not allowed to do that!")); redirect('dashboard'); } + if (!$this->user_model->authorize(2) || !clubaccess_check(9)) { + $this->session->set_flashdata('error', __("You're not allowed to do that!")); + redirect('dashboard'); + } } - public function index() - { + public function index() { $this->load->model('bands'); $data['bands'] = $this->bands->get_all_bands_for_user(); @@ -28,8 +29,7 @@ class Band extends CI_Controller { $this->load->view('interface_assets/footer'); } - public function edges() - { + public function edges() { $this->load->model('bands'); $data['bands'] = $this->bands->get_all_bandedges_for_user(); @@ -47,8 +47,7 @@ class Band extends CI_Controller { } // API endpoint to get band edges for the logged-in user - public function get_user_bandedges() - { + public function get_user_bandedges() { $this->load->model('bands'); // Get region parameter from query string, default to 1 (IARU Region 1) @@ -63,8 +62,7 @@ class Band extends CI_Controller { return; } - public function create() - { + public function create() { $this->load->model('bands'); $this->load->library('form_validation'); @@ -86,8 +84,7 @@ class Band extends CI_Controller { } } - public function edit() - { + public function edit() { $this->load->model('bands'); $item_id_clean = $this->input->post('id'); @@ -98,7 +95,7 @@ class Band extends CI_Controller { $data['page_title'] = __("Edit Band"); - $this->load->view('bands/edit', $data); + $this->load->view('bands/edit', $data); } public function saveupdatedband() { @@ -111,92 +108,92 @@ class Band extends CI_Controller { $band['dataqrg'] = $this->input->post('dataqrg', true); $band['cwqrg'] = $this->input->post('cwqrg', true); - $this->bands->saveupdatedband($id, $band); + $this->bands->saveupdatedband($id, $band); echo json_encode(array('message' => 'OK')); - return; + return; } public function delete() { - $id = $this->input->post('id', true); + $id = $this->input->post('id', true); $userid = $this->session->userdata('user_id'); $this->load->model('bands'); $this->bands->delete($id, $userid); } public function activate() { - $id = $this->input->post('id', true); - $this->load->model('bands'); - $this->bands->activate($id); - header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); - return; - } + $id = $this->input->post('id', true); + $this->load->model('bands'); + $this->bands->activate($id); + header('Content-Type: application/json'); + echo json_encode(array('message' => 'OK')); + return; + } - public function deactivate() { - $id = $this->input->post('id', true); - $this->load->model('bands'); - $this->bands->deactivate($id); - header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); - return; - } + public function deactivate() { + $id = $this->input->post('id', true); + $this->load->model('bands'); + $this->bands->deactivate($id); + header('Content-Type: application/json'); + echo json_encode(array('message' => 'OK')); + return; + } public function activateall() { - $this->load->model('bands'); - $this->bands->activateall(); - header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); - return; - } - - public function deactivateall() { - $this->load->model('bands'); - $this->bands->deactivateall(); - header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); + $this->load->model('bands'); + $this->bands->activateall(); + header('Content-Type: application/json'); + echo json_encode(array('message' => 'OK')); return; - } + } - public function saveBand() { - $id = $this->input->post('id', true); - $band['status'] = $this->input->post('status', true); - $band['cq'] = $this->input->post('cq', true); - $band['dok'] = $this->input->post('dok', true); - $band['dxcc'] = $this->input->post('dxcc', true); - $band['helvetia'] = $this->input->post('helvetia', true); - $band['iota'] = $this->input->post('iota', true); - $band['jcc'] = $this->input->post('jcc', true); - $band['pota'] = $this->input->post('pota', true); - $band['rac'] = $this->input->post('rac', true); - $band['sig'] = $this->input->post('sig', true); - $band['sota'] = $this->input->post('sota', true); - $band['uscounties'] = $this->input->post('uscounties', true); - $band['wap'] = $this->input->post('wap', true); - $band['wapc'] = $this->input->post('wapc', true); - $band['was'] = $this->input->post('was', true); - $band['wwff'] = $this->input->post('wwff', true); - $band['vucc'] = $this->input->post('vucc', true); - $band['waja'] = $this->input->post('waja', true); + public function deactivateall() { + $this->load->model('bands'); + $this->bands->deactivateall(); + header('Content-Type: application/json'); + echo json_encode(array('message' => 'OK')); + return; + } - $this->load->model('bands'); - $this->bands->saveBand($id, $band); + public function saveBand() { + $id = $this->input->post('id', true); + $band['status'] = $this->input->post('status', true); + $band['cq'] = $this->input->post('cq', true); + $band['dok'] = $this->input->post('dok', true); + $band['dxcc'] = $this->input->post('dxcc', true); + $band['helvetia'] = $this->input->post('helvetia', true); + $band['iota'] = $this->input->post('iota', true); + $band['jcc'] = $this->input->post('jcc', true); + $band['pota'] = $this->input->post('pota', true); + $band['rac'] = $this->input->post('rac', true); + $band['sig'] = $this->input->post('sig', true); + $band['sota'] = $this->input->post('sota', true); + $band['uscounties'] = $this->input->post('uscounties', true); + $band['wap'] = $this->input->post('wap', true); + $band['wapc'] = $this->input->post('wapc', true); + $band['was'] = $this->input->post('was', true); + $band['wwff'] = $this->input->post('wwff', true); + $band['vucc'] = $this->input->post('vucc', true); + $band['waja'] = $this->input->post('waja', true); - header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); - return; - } + $this->load->model('bands'); + $this->bands->saveBand($id, $band); + + header('Content-Type: application/json'); + echo json_encode(array('message' => 'OK')); + return; + } public function saveBandAward() { $award = $this->input->post('award', true); $status = $this->input->post('status', true); $this->load->model('bands'); - $this->bands->saveBandAward($award, $status); + $this->bands->saveBandAward($award, $status); header('Content-Type: application/json'); - echo json_encode(array('message' => 'OK')); + echo json_encode(array('message' => 'OK')); return; - } + } public function saveBandUnit() { $unit = $this->input->post('unit', true); @@ -206,7 +203,7 @@ class Band extends CI_Controller { $band = $this->bands->getband($band_id)->row()->band; $this->user_options_model->set_option('frequency', 'unit', array($band => $unit)); - $this->session->set_userdata('qrgunit_'.$band, $unit); + $this->session->set_userdata('qrgunit_' . $band, $unit); } public function deletebandedge() { @@ -226,7 +223,7 @@ class Band extends CI_Controller { $frequencyto = $this->input->post('frequencyto', true); $mode = $this->input->post('mode', true); if ((is_numeric($frequencyfrom)) && (is_numeric($frequencyfrom))) { - $overlap=$this->bands->check4overlapEdges($id, $frequencyfrom, $frequencyto, $mode); + $overlap = $this->bands->check4overlapEdges($id, $frequencyfrom, $frequencyto, $mode); if (!($overlap)) { $this->bands->saveBandEdge($id, $frequencyfrom, $frequencyto, $mode); echo json_encode(array('message' => 'OK')); From 80f37bdad7f7eb1077d54247aafad2dd493e8d87 Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:52:05 +0100 Subject: [PATCH 5/7] bands model is loaded in every function so we can move it to the cunstructor --- application/controllers/Band.php | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/application/controllers/Band.php b/application/controllers/Band.php index 967cfd3df..1dc1afc37 100644 --- a/application/controllers/Band.php +++ b/application/controllers/Band.php @@ -15,11 +15,11 @@ class Band extends CI_Controller { $this->session->set_flashdata('error', __("You're not allowed to do that!")); redirect('dashboard'); } + + $this->load->model('bands'); } public function index() { - $this->load->model('bands'); - $data['bands'] = $this->bands->get_all_bands_for_user(); // Render Page @@ -30,8 +30,6 @@ class Band extends CI_Controller { } public function edges() { - $this->load->model('bands'); - $data['bands'] = $this->bands->get_all_bandedges_for_user(); $footerData = []; @@ -48,8 +46,6 @@ class Band extends CI_Controller { // API endpoint to get band edges for the logged-in user public function get_user_bandedges() { - $this->load->model('bands'); - // Get region parameter from query string, default to 1 (IARU Region 1) // Note: Region selection is not yet fully implemented in the code $region = $this->input->get('region'); @@ -63,7 +59,6 @@ class Band extends CI_Controller { } public function create() { - $this->load->model('bands'); $this->load->library('form_validation'); $this->form_validation->set_rules('band', 'Band', 'required'); @@ -85,8 +80,6 @@ class Band extends CI_Controller { } public function edit() { - $this->load->model('bands'); - $item_id_clean = $this->input->post('id'); $band_query = $this->bands->getband($item_id_clean); @@ -99,8 +92,6 @@ class Band extends CI_Controller { } public function saveupdatedband() { - $this->load->model('bands'); - $id = $this->input->post('id', true); $band['band'] = $this->input->post('band', true); $band['bandgroup'] = $this->input->post('bandgroup', true); @@ -116,13 +107,11 @@ class Band extends CI_Controller { public function delete() { $id = $this->input->post('id', true); $userid = $this->session->userdata('user_id'); - $this->load->model('bands'); $this->bands->delete($id, $userid); } public function activate() { $id = $this->input->post('id', true); - $this->load->model('bands'); $this->bands->activate($id); header('Content-Type: application/json'); echo json_encode(array('message' => 'OK')); @@ -131,7 +120,6 @@ class Band extends CI_Controller { public function deactivate() { $id = $this->input->post('id', true); - $this->load->model('bands'); $this->bands->deactivate($id); header('Content-Type: application/json'); echo json_encode(array('message' => 'OK')); @@ -139,7 +127,6 @@ class Band extends CI_Controller { } public function activateall() { - $this->load->model('bands'); $this->bands->activateall(); header('Content-Type: application/json'); echo json_encode(array('message' => 'OK')); @@ -147,7 +134,6 @@ class Band extends CI_Controller { } public function deactivateall() { - $this->load->model('bands'); $this->bands->deactivateall(); header('Content-Type: application/json'); echo json_encode(array('message' => 'OK')); @@ -175,7 +161,6 @@ class Band extends CI_Controller { $band['vucc'] = $this->input->post('vucc', true); $band['waja'] = $this->input->post('waja', true); - $this->load->model('bands'); $this->bands->saveBand($id, $band); header('Content-Type: application/json'); @@ -187,7 +172,6 @@ class Band extends CI_Controller { $award = $this->input->post('award', true); $status = $this->input->post('status', true); - $this->load->model('bands'); $this->bands->saveBandAward($award, $status); header('Content-Type: application/json'); @@ -199,7 +183,6 @@ class Band extends CI_Controller { $unit = $this->input->post('unit', true); $band_id = $this->input->post('band_id', true); - $this->load->model('bands'); $band = $this->bands->getband($band_id)->row()->band; $this->user_options_model->set_option('frequency', 'unit', array($band => $unit)); @@ -208,7 +191,6 @@ class Band extends CI_Controller { public function deletebandedge() { $id = $this->input->post('id', true); - $this->load->model('bands'); $this->bands->deletebandedge($id); header('Content-Type: application/json'); echo json_encode(array('message' => 'OK')); @@ -216,8 +198,6 @@ class Band extends CI_Controller { } public function saveBandEdge() { - $this->load->model('bands'); - $id = $this->input->post('id', true); $frequencyfrom = $this->input->post('frequencyfrom', true); $frequencyto = $this->input->post('frequencyto', true); From 054f66d07ff71307be38be0f00a15c29f915eb7e Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 00:57:34 +0100 Subject: [PATCH 6/7] escape some api stuff --- application/controllers/Api.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/application/controllers/Api.php b/application/controllers/Api.php index 4ae4f64d5..c56436f87 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -74,9 +74,9 @@ class API extends CI_Controller { } else { // Success! - $this->api_model->update_key_description($this->input->post('api_key'), $this->input->post('api_desc')); + $this->api_model->update_key_description($this->input->post('api_key', true), $this->input->post('api_desc', true)); - $this->session->set_flashdata('notice', sprintf(__("API Key %s description has been updated."), "".$this->input->post('api_key')."")); + $this->session->set_flashdata('notice', sprintf(__("API Key %s description has been updated."), "" . htmlspecialchars($this->input->post('api_key', true), ENT_QUOTES, 'UTF-8') . "")); redirect('api'); } @@ -118,7 +118,7 @@ class API extends CI_Controller { $this->api_model->delete_key($key); - $this->session->set_flashdata('notice', sprintf(__("API Key %s has been deleted"), "".$key."" )); + $this->session->set_flashdata('notice', sprintf(__("API Key %s has been deleted"), "" . htmlspecialchars($key, ENT_QUOTES, 'UTF-8') . "" )); redirect('api'); } From feefd7ac84c8653dea15f01fe58a493f6f3a18b9 Mon Sep 17 00:00:00 2001 From: HB9HIL Date: Mon, 16 Mar 2026 01:07:41 +0100 Subject: [PATCH 7/7] dead code --- application/controllers/Qso.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/application/controllers/Qso.php b/application/controllers/Qso.php index b38b62057..71af49524 100644 --- a/application/controllers/Qso.php +++ b/application/controllers/Qso.php @@ -573,11 +573,6 @@ class QSO extends CI_Controller { $data['message_contents'] = "QSO Deleted Successfully"; $this->load->view('messages/message', $data); } - - // If deletes from /logbook dropdown redirect - if (strpos($_SERVER['HTTP_REFERER'], '/logbook') !== false) { - redirect($_SERVER['HTTP_REFERER']); - } } /* Delete QSO */