More security/sanitizing fixes
[busui.git] / stop.pdf.php
blob:a/stop.pdf.php -> blob:b/stop.pdf.php
--- a/stop.pdf.php
+++ b/stop.pdf.php
@@ -1,19 +1,20 @@
 <?php
 include('common.inc.php');
-$url = $APIurl."/json/stop?stop_id=".$_REQUEST['stopid'];
+$stopid = filter_var($_REQUEST['stopid'],FILTER_SANITIZE_NUMBER_INT);
+$url = $APIurl."/json/stop?stop_id=".$stopid;
 $stop = json_decode(getPage($url));
 
 $html .= '<div data-role="content" class="ui-content" role="main"><p>'.staticmap(Array(0 => Array($stop[2],$stop[3])), 0,"iconb", false).'</p>';
 $html .= '  <ul data-role="listview"  data-inset="true">';
-$url = $APIurl."/json/stoptrips?stop=".$_REQUEST['stopid']."&time=".midnight_seconds()."&service_period=".service_period();
+$url = $APIurl."/json/stoptrips?stop=".$stopid."&time=".midnight_seconds()."&service_period=".service_period();
 $trips = json_decode(getPage($url));
 debug(print_r($trips,true));
 foreach ($trips as $row)
 {
 $html .=  '<li>';
-$html .= '<h3><a href="trip.php?stopid='.$_REQUEST['stopid'].'&tripid='.$row[1][0].'">'.$row[1][1];
+$html .= '<h3><a href="trip.php?stopid='.$stopid.'&tripid='.$row[1][0].'">'.$row[1][1];
 if (isFastDevice()) {
-    $viaPoints = viaPointNames($row[1][0],$_REQUEST['stopid']);
+    $viaPoints = viaPointNames($row[1][0],$stopid);
     if ($viaPoints != "") $html .= '<br><small>Via: '.$viaPoints.'</small> </a></h3>';
 }
 $html .= '<p class="ui-li-aside"><strong>'.midnight_seconds_to_time($row[0]).'</strong></p>';