From 1d2b905becf69addc973265af13739a64c119993 Mon Sep 17 00:00:00 2001 From: int2001 Date: Tue, 21 Jan 2025 11:20:45 +0000 Subject: [PATCH 1/2] Make Old CSV-Export injection-safe (binding) --- application/models/Csv_model.php | 34 +++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/application/models/Csv_model.php b/application/models/Csv_model.php index 6f22cd629..2ff8905e6 100644 --- a/application/models/Csv_model.php +++ b/application/models/Csv_model.php @@ -18,6 +18,7 @@ class Csv_model extends CI_Model * */ function get_qsos($station_id, $band, $mode, $dxcc, $cqz, $propagation, $fromdate, $todate) { + $binds=[]; $sql = ""; $sql .= "SELECT station_callsign, COL_MY_SOTA_REF, COL_QSO_DATE, COL_TIME_ON, COL_BAND, COL_MODE, COL_CALL, COL_SOTA_REF, COL_COMMENT @@ -26,47 +27,58 @@ class Csv_model extends CI_Model " WHERE (COL_SOTA_REF <> '' OR COL_MY_SOTA_REF <> '')"; if ($station_id != "All") { - $sql .= ' and ' . $this->config->item('table_name'). '.station_id = ' . $station_id; + $sql .= ' and ' . $this->config->item('table_name'). '.station_id = ?'; + $binds[]=$station_id; } if ($band != 'All') { if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; + $sql .= " and col_prop_mode = ?"; + $binds[]=$band; } else { $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; + $sql .= " and col_band = ?"; + $binds[]=$band; } } if ($mode != 'All') { - $sql .= " and (COL_MODE = '" . $mode . "' or COL_SUBMODE = '" . $mode . "')"; + $sql .= " and (COL_MODE = ? or COL_SUBMODE = ?)"; + $binds[]=$mode; + $binds[]=$mode; } if ($dxcc != 'All') { - $sql .= " and COL_DXCC ='" . $dxcc . "'"; + $sql .= " and COL_DXCC = ?"; + $binds[]=$dxcc; } if ($cqz != 'All') { - $sql .= " and COL_CQZ ='" . $cqz . "'"; + $sql .= " and COL_CQZ = ?"; + $binds[]=$cqz; } if ($propagation != 'All') { - $sql .= " and COL_PROP_MODE ='" . $propagation . "'"; + $sql .= " and COL_PROP_MODE = ?"; + $binds[]=$propagation; } // If date is set, we format the date and add it to the where-statement if ($fromdate != "") { - $sql .= " and date(COL_TIME_ON) >='" . $fromdate . "'"; + $sql .= " and date(COL_TIME_ON) >= ?"; + $binds[]=$fromdate; } if ($todate != "") { - $sql .= " and date(COL_TIME_ON) <='" . $todate . "'"; + $sql .= " and date(COL_TIME_ON) <= ?"; + $binds[]=$todate; } - $sql .= ' and station_profile.user_id = ' . $this->session->userdata('user_id'); + $sql .= ' and station_profile.user_id = ?'; + $binds[]=$this->session->userdata('user_id'); $sql .= ' ORDER BY `COL_TIME_ON` ASC'; - $query = $this->db->query($sql); + $query = $this->db->query($sql,$binds); return $query->result_array(); } From bfb4440fda1086644bdc0bf8ad632e611abb3250 Mon Sep 17 00:00:00 2001 From: int2001 Date: Tue, 21 Jan 2025 12:01:31 +0000 Subject: [PATCH 2/2] Check empty strings as well on NULL --- application/models/Csv_model.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/models/Csv_model.php b/application/models/Csv_model.php index 2ff8905e6..cf5fec703 100644 --- a/application/models/Csv_model.php +++ b/application/models/Csv_model.php @@ -24,7 +24,7 @@ class Csv_model extends CI_Model $sql .= "SELECT station_callsign, COL_MY_SOTA_REF, COL_QSO_DATE, COL_TIME_ON, COL_BAND, COL_MODE, COL_CALL, COL_SOTA_REF, COL_COMMENT FROM ".$this->config->item('table_name'). " JOIN station_profile on station_profile.station_id = ".$this->config->item('table_name').".station_id". - " WHERE (COL_SOTA_REF <> '' OR COL_MY_SOTA_REF <> '')"; + " WHERE (COALESCE(COL_SOTA_REF,NULL,'') != '' OR COALESCE(COL_MY_SOTA_REF,NULL,'') != '')"; if ($station_id != "All") { $sql .= ' and ' . $this->config->item('table_name'). '.station_id = ?';