Add input validation for recent_qsos limit parameter

The recent_qsos API endpoint now validates and sanitizes the $limit parameter, enforcing a default of 10, a minimum of 1, and a maximum of 50. Additionally, get_last_qsos in Logbook_model ensures $num is always an integer to prevent SQL injection.

application/controllers/Api.php

@@ -848,9 +848,21 @@ class API extends CI_Controller {
 	 *   "logbook_slug": "my-public-logbook"
 	 * }
 	 */
-	function recent_qsos($public_slug = null, $limit) {
+	function recent_qsos($public_slug = null, $limit = 10) {
 		header('Content-type: application/json');
 
+		// Validate and sanitize $limit
+		if (!is_numeric($limit)) {
+			$limit = 10; // Default to 10 if not numeric
+		} else {
+			$limit = intval($limit);
+			if ($limit < 1) {
+				$limit = 1; // Minimum limit of 1
+			} elseif ($limit > 50) {
+				$limit = 50; // Maximum limit of 50
+			}
+		}
+
 		if($public_slug == null) {
 			http_response_code(400);
 			echo json_encode(['status' => 'failed', 'reason' => 'missing public_slug parameter']);

application/models/Logbook_model.php

@@ -1932,6 +1932,9 @@ class Logbook_model extends CI_Model
 
   function get_last_qsos($num, $StationLocationsArray = null)
   {
+    // Ensure $num is always an integer to prevent SQL injection
+    $num = intval($num);
+    
     if ($StationLocationsArray == null) {
       $CI = &get_instance();
       $CI->load->model('logbooks_model');