Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1531 from int2001/csv_fix

Browse Source 
Make Old CSV-Export injection-safe (binding)
This commit is contained in:
Joerg (DJ7NT)
2025-01-22 08:20:15 +01:00
committed by GitHub
parent 4357868977 bfb4440fda
commit e640baae0c
1 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
application/models/Csv_model.php
View File

@@ -18,55 +18,67 @@ class Csv_model extends CI_Model
*
*/
function get_qsos($station_id, $band, $mode, $dxcc, $cqz, $propagation, $fromdate, $todate) {
$binds=[];
$sql = "";
$sql .= "SELECT station_callsign, COL_MY_SOTA_REF, COL_QSO_DATE, COL_TIME_ON, COL_BAND, COL_MODE, COL_CALL, COL_SOTA_REF, COL_COMMENT
FROM ".$this->config->item('table_name').
" JOIN station_profile on station_profile.station_id = ".$this->config->item('table_name').".station_id".
" WHERE (COL_SOTA_REF <> '' OR COL_MY_SOTA_REF <> '')";
" WHERE (COALESCE(COL_SOTA_REF,NULL,'') != '' OR COALESCE(COL_MY_SOTA_REF,NULL,'') != '')";
if ($station_id != "All") {
$sql .= ' and ' . $this->config->item('table_name'). '.station_id = ' . $station_id;
$sql .= ' and ' . $this->config->item('table_name'). '.station_id = ?';
$binds[]=$station_id;
}
if ($band != 'All') {
if ($band == 'SAT') {
$sql .= " and col_prop_mode ='" . $band . "'";
$sql .= " and col_prop_mode = ?";
$binds[]=$band;
} else {
$sql .= " and col_prop_mode !='SAT'";
$sql .= " and col_band ='" . $band . "'";
$sql .= " and col_band = ?";
$binds[]=$band;
}
}
if ($mode != 'All') {
$sql .= " and (COL_MODE = '" . $mode . "' or COL_SUBMODE = '" . $mode . "')";
$sql .= " and (COL_MODE = ? or COL_SUBMODE = ?)";
$binds[]=$mode;
$binds[]=$mode;
}
if ($dxcc != 'All') {
$sql .= " and COL_DXCC ='" . $dxcc . "'";
$sql .= " and COL_DXCC = ?";
$binds[]=$dxcc;
}
if ($cqz != 'All') {
$sql .= " and COL_CQZ ='" . $cqz . "'";
$sql .= " and COL_CQZ = ?";
$binds[]=$cqz;
}
if ($propagation != 'All') {
$sql .= " and COL_PROP_MODE ='" . $propagation . "'";
$sql .= " and COL_PROP_MODE = ?";
$binds[]=$propagation;
}
// If date is set, we format the date and add it to the where-statement
if ($fromdate != "") {
$sql .= " and date(COL_TIME_ON) >='" . $fromdate . "'";
$sql .= " and date(COL_TIME_ON) >= ?";
$binds[]=$fromdate;
}
if ($todate != "") {
$sql .= " and date(COL_TIME_ON) <='" . $todate . "'";
$sql .= " and date(COL_TIME_ON) <= ?";
$binds[]=$todate;
}
$sql .= ' and station_profile.user_id = ' . $this->session->userdata('user_id');
$sql .= ' and station_profile.user_id = ?';
$binds[]=$this->session->userdata('user_id');
$sql .= ' ORDER BY `COL_TIME_ON` ASC';
$query = $this->db->query($sql);
$query = $this->db->query($sql,$binds);
return $query->result_array();
}