From f8146133b590e327f0229c14be895693ae49d5dc Mon Sep 17 00:00:00 2001 From: int2001 Date: Mon, 12 Aug 2024 12:02:16 +0000 Subject: [PATCH] Bindings and xss for Accumulated-Model --- application/controllers/Accumulated.php | 8 +- application/models/Accumulate_model.php | 346 +++++++++++++----------- 2 files changed, 189 insertions(+), 165 deletions(-) diff --git a/application/controllers/Accumulated.php b/application/controllers/Accumulated.php index 3f024d14b..183329f73 100644 --- a/application/controllers/Accumulated.php +++ b/application/controllers/Accumulated.php @@ -40,10 +40,10 @@ class Accumulated extends CI_Controller { //load model $this->load->model('accumulate_model'); - $band = $this->input->post('Band'); - $award = $this->input->post('Award'); - $mode = $this->input->post('Mode'); - $period = $this->input->post('Period'); + $band = xss_clean($this->input->post('Band')); + $award = xss_clean($this->input->post('Award')); + $mode = xss_clean($this->input->post('Mode')); + $period = xss_clean($this->input->post('Period')); // get data $data = $this->accumulate_model->get_accumulated_data($band, $award, $mode, $period); diff --git a/application/models/Accumulate_model.php b/application/models/Accumulate_model.php index 46a3102dd..13d61e627 100644 --- a/application/models/Accumulate_model.php +++ b/application/models/Accumulate_model.php @@ -38,106 +38,118 @@ class Accumulate_model extends CI_Model return $result; } - function get_accumulated_dxcc($band, $mode, $period, $location_list) - { - if ($period == "year") { - $sql = "select year(thcv.col_time_on) year"; - } else if ($period == "month") { - $sql = "select date_format(col_time_on, '%Y-%m') year"; - } + function get_accumulated_dxcc($band, $mode, $period, $location_list) { + $binding=[]; + if ($period == "year") { + $sql = "select year(thcv.col_time_on) year"; + } else if ($period == "month") { + $sql = "select date_format(col_time_on, '%Y-%m') year"; + } - $sql .= ", coalesce(y.tot, 0) tot - from " . $this->config->item('table_name') . " thcv - left outer join ( - select count(col_dxcc) as tot, year - from (select distinct "; + $sql .= ", coalesce(y.tot, 0) tot + from " . $this->config->item('table_name') . " thcv + left outer join ( + select count(col_dxcc) as tot, year + from (select distinct "; - if ($period == "year") { - $sql .= "year(col_time_on)"; - } else if ($period == "month") { - $sql .= "date_format(col_time_on, '%Y-%m')"; - } + if ($period == "year") { + $sql .= "year(col_time_on)"; + } else if ($period == "month") { + $sql .= "date_format(col_time_on, '%Y-%m')"; + } - $sql .= " year, col_dxcc - from " . $this->config->item('table_name') . - " where col_dxcc > 0 and station_id in (" . $location_list . ")"; + $sql .= " year, col_dxcc + from " . $this->config->item('table_name') . + " where col_dxcc > 0 and station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[] = $band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[] = $band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[] = $mode; + $binding[] = $mode; + } - $sql .= " order by year - ) x - where not exists (select 1 from " . $this->config->item('table_name') . " where"; + $sql .= " order by year + ) x + where not exists (select 1 from " . $this->config->item('table_name') . " where"; - if ($period == "year") { - $sql .= " year(col_time_on) < year";; - } else if ($period == "month") { - $sql .= " date_format(col_time_on, '%Y-%m') < year";; - } + if ($period == "year") { + $sql .= " year(col_time_on) < year";; + } else if ($period == "month") { + $sql .= " date_format(col_time_on, '%Y-%m') < year";; + } - $sql .= " and col_dxcc = x.col_dxcc"; + $sql .= " and col_dxcc = x.col_dxcc"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[] = $band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[] = $band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[] = $mode; + $binding[] = $mode; + } - $sql .= " and station_id in (" . $location_list . ")) - group by year - order by year"; + $sql .= " and station_id in (" . $location_list . ")) + group by year + order by year"; - if ($period == "year") { - $sql .= " ) y on year(thcv.col_time_on) = y.year"; - } else if ($period == "month") { - $sql .= " ) y on date_format(col_time_on, '%Y-%m') = y.year"; - } + if ($period == "year") { + $sql .= " ) y on year(thcv.col_time_on) = y.year"; + } else if ($period == "month") { + $sql .= " ) y on date_format(col_time_on, '%Y-%m') = y.year"; + } - $sql .= " where thcv.col_dxcc > 0"; + $sql .= " where thcv.col_dxcc > 0"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[] = $band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[] = $band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[] = $mode; + $binding[] = $mode; + } - $sql .= " and station_id in (" . $location_list . ")"; + $sql .= " and station_id in (" . $location_list . ")"; - if ($period == "year") { - $sql .= " group by year(thcv.col_time_on), y.tot - order by year(thcv.col_time_on)"; - } else if ($period == "month") { - $sql .= " group by date_format(col_time_on, '%Y-%m'), y.tot - order by date_format(col_time_on, '%Y-%m')"; - } + if ($period == "year") { + $sql .= " group by year(thcv.col_time_on), y.tot + order by year(thcv.col_time_on)"; + } else if ($period == "month") { + $sql .= " group by date_format(col_time_on, '%Y-%m'), y.tot + order by date_format(col_time_on, '%Y-%m')"; + } - $query = $this->db->query($sql); + $query = $this->db->query($sql,$binding); - return $this->count_and_add_accumulated_total($query->result()); + return $this->count_and_add_accumulated_total($query->result()); } function count_and_add_accumulated_total($array) @@ -651,102 +663,114 @@ class Accumulate_model extends CI_Model return $sql; } - function slowquery($band, $mode, $period, $location_list) { - $sql = ""; - if ($period == "year") { - $sql = "select year(thcv.col_time_on) year"; - } else if ($period == "month") { - $sql = "select date_format(col_time_on, '%Y-%m') year"; - } + function slowquery($band, $mode, $period, $location_list) { + $sql = ""; + if ($period == "year") { + $sql = "select year(thcv.col_time_on) year"; + } else if ($period == "month") { + $sql = "select date_format(col_time_on, '%Y-%m') year"; + } - $sql .= ", coalesce(y.tot, 0) tot - from " . $this->config->item('table_name') . " thcv - left outer join ( - select count(substr(col_gridsquare,1,4)) as tot, year - from (select distinct "; + $sql .= ", coalesce(y.tot, 0) tot + from " . $this->config->item('table_name') . " thcv + left outer join ( + select count(substr(col_gridsquare,1,4)) as tot, year + from (select distinct "; - if ($period == "year") { - $sql .= "year(col_time_on)"; - } else if ($period == "month") { - $sql .= "date_format(col_time_on, '%Y-%m')"; - } + if ($period == "year") { + $sql .= "year(col_time_on)"; + } else if ($period == "month") { + $sql .= "date_format(col_time_on, '%Y-%m')"; + } - $sql .= " year, substr(col_gridsquare,1,4) as col_gridsquare - from " . $this->config->item('table_name') . - " where station_id in (" . $location_list . ")"; + $sql .= " year, substr(col_gridsquare,1,4) as col_gridsquare + from " . $this->config->item('table_name') . + " where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[]=$band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[]=$band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[]=$mode; + $binding[]=$mode; + } - $sql .= " order by year - ) x - where not exists (select 1 from " . $this->config->item('table_name') . " where"; + $sql .= " order by year + ) x + where not exists (select 1 from " . $this->config->item('table_name') . " where"; - if ($period == "year") { - $sql .= " year(col_time_on) < year";; - } else if ($period == "month") { - $sql .= " date_format(col_time_on, '%Y-%m') < year";; - } + if ($period == "year") { + $sql .= " year(col_time_on) < year";; + } else if ($period == "month") { + $sql .= " date_format(col_time_on, '%Y-%m') < year";; + } - $sql .= " and substr(col_gridsquare,1,4) = substr(x.col_gridsquare,1,4)"; + $sql .= " and substr(col_gridsquare,1,4) = substr(x.col_gridsquare,1,4)"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[]=$band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[]=$band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[]=$mode; + $binding[]=$mode; + } - $sql .= " and station_id in (" . $location_list . ")) - group by year - order by year"; + $sql .= " and station_id in (" . $location_list . ")) + group by year + order by year"; - if ($period == "year") { - $sql .= " ) y on year(thcv.col_time_on) = y.year"; - } else if ($period == "month") { - $sql .= " ) y on date_format(col_time_on, '%Y-%m') = y.year"; - } + if ($period == "year") { + $sql .= " ) y on year(thcv.col_time_on) = y.year"; + } else if ($period == "month") { + $sql .= " ) y on date_format(col_time_on, '%Y-%m') = y.year"; + } - $sql .= " where station_id in (" . $location_list . ")"; + $sql .= " where station_id in (" . $location_list . ")"; - if ($band != 'All') { - if ($band == 'SAT') { - $sql .= " and col_prop_mode ='" . $band . "'"; - } else { - $sql .= " and col_prop_mode !='SAT'"; - $sql .= " and col_band ='" . $band . "'"; - } - } + if ($band != 'All') { + if ($band == 'SAT') { + $sql .= " and col_prop_mode = ?"; + $binding[]=$band; + } else { + $sql .= " and col_prop_mode !='SAT'"; + $sql .= " and col_band = ?"; + $binding[]=$band; + } + } - if ($mode != 'All') { - $sql .= " and (col_mode ='" . $mode . "' or col_submode ='" . $mode . "')"; - } + if ($mode != 'All') { + $sql .= " and (col_mode = ? or col_submode = ?)"; + $binding[]=$mode; + $binding[]=$mode; + } - if ($period == "year") { - $sql .= " group by year(thcv.col_time_on), y.tot - order by year(thcv.col_time_on)"; - } else if ($period == "month") { - $sql .= " group by date_format(col_time_on, '%Y-%m'), y.tot - order by date_format(col_time_on, '%Y-%m')"; - } + if ($period == "year") { + $sql .= " group by year(thcv.col_time_on), y.tot + order by year(thcv.col_time_on)"; + } else if ($period == "month") { + $sql .= " group by date_format(col_time_on, '%Y-%m'), y.tot + order by date_format(col_time_on, '%Y-%m')"; + } - return $sql; - } + return $sql; + } }