From b7c065dbdd90d84551b9a8aef95d310195767733 Mon Sep 17 00:00:00 2001 From: Peter Goodhall Date: Tue, 9 Sep 2025 14:25:40 +0100 Subject: [PATCH] Add input validation for recent_qsos limit parameter The recent_qsos API endpoint now validates and sanitizes the $limit parameter, enforcing a default of 10, a minimum of 1, and a maximum of 50. Additionally, get_last_qsos in Logbook_model ensures $num is always an integer to prevent SQL injection. --- application/controllers/Api.php | 14 +++++++++++++- application/models/Logbook_model.php | 3 +++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/application/controllers/Api.php b/application/controllers/Api.php index 6d90f949..695ba185 100644 --- a/application/controllers/Api.php +++ b/application/controllers/Api.php @@ -848,9 +848,21 @@ class API extends CI_Controller { * "logbook_slug": "my-public-logbook" * } */ - function recent_qsos($public_slug = null, $limit) { + function recent_qsos($public_slug = null, $limit = 10) { header('Content-type: application/json'); + // Validate and sanitize $limit + if (!is_numeric($limit)) { + $limit = 10; // Default to 10 if not numeric + } else { + $limit = intval($limit); + if ($limit < 1) { + $limit = 1; // Minimum limit of 1 + } elseif ($limit > 50) { + $limit = 50; // Maximum limit of 50 + } + } + if($public_slug == null) { http_response_code(400); echo json_encode(['status' => 'failed', 'reason' => 'missing public_slug parameter']); diff --git a/application/models/Logbook_model.php b/application/models/Logbook_model.php index f66dff65..f133c698 100755 --- a/application/models/Logbook_model.php +++ b/application/models/Logbook_model.php @@ -1932,6 +1932,9 @@ class Logbook_model extends CI_Model function get_last_qsos($num, $StationLocationsArray = null) { + // Ensure $num is always an integer to prevent SQL injection + $num = intval($num); + if ($StationLocationsArray == null) { $CI = &get_instance(); $CI->load->model('logbooks_model');