From 0d965abaff70192a42838bf3d5c8acf29a4403e0 Mon Sep 17 00:00:00 2001
From: Thomas David Baker <bakert@gmail.com>
Date: Fri, 22 Nov 2024 08:44:42 -0800
Subject: [PATCH 1/3] Validate username before inserting

Various spammy signups are causing 500s which I don't want or need to
investigate, just reject them at this point.

Preventing all spammy or SQL injection attempt sign ups remains a todo.
---
 gatherling/Models/Player.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gatherling/Models/Player.php b/gatherling/Models/Player.php
index 3b3c9f674..5b44d8b9d 100644
--- a/gatherling/Models/Player.php
+++ b/gatherling/Models/Player.php
@@ -230,6 +230,9 @@ public static function sanitizeUsername(string $playerName): string
 
     public static function createByName(string $playername): self
     {
+        if (strlen($playername) > 40) {
+            throw new ValidationException('Username too long (must be less than 40 characters)');
+        }
         $sql = 'INSERT INTO players (name) VALUES (:player_name)';
         $params = ['player_name' => $playername];
         db()->execute($sql, $params);

From 7a74b5749c7b4f7215828d38cd9a50d2fd240a9d Mon Sep 17 00:00:00 2001
From: Thomas David Baker <bakert@gmail.com>
Date: Sat, 23 Nov 2024 08:02:01 -0800
Subject: [PATCH 2/3] Explicitly set CHARACTER SET and COLLATE everywhere

Without this a comparison with our non-temporary tables can fail due to
different collation if the server default differs.
---
 gatherling/Data/sql/migrations/80.sql        |  3 +++
 gatherling/Models/Format.php                 |  5 ++++-
 gatherling/Views/Components/FullMetagame.php | 20 ++++++++++----------
 3 files changed, 17 insertions(+), 11 deletions(-)
 create mode 100644 gatherling/Data/sql/migrations/80.sql

diff --git a/gatherling/Data/sql/migrations/80.sql b/gatherling/Data/sql/migrations/80.sql
new file mode 100644
index 000000000..12918d8eb
--- /dev/null
+++ b/gatherling/Data/sql/migrations/80.sql
@@ -0,0 +1,3 @@
+-- We must explicitly set this (which we did not at creation time) because server default may differ.
+-- Our other tables have this explicitly set in schema.sql.
+ALTER TABLE sessions CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
diff --git a/gatherling/Models/Format.php b/gatherling/Models/Format.php
index 417bf7d9b..1c48942b8 100644
--- a/gatherling/Models/Format.php
+++ b/gatherling/Models/Format.php
@@ -1227,7 +1227,10 @@ public function updateLegalList(array $addCards, array $delCards): array
      */
     private function getCurrentLegalityOfCards(array $cards): array
     {
-        $sql = "CREATE TEMPORARY TABLE input_cards (original_name VARCHAR(160))";
+        $sql = '
+            CREATE TEMPORARY TABLE input_cards (
+                original_name VARCHAR(160)
+            ) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci';
         db()->execute($sql);
 
         $placeholders = $params = [];
diff --git a/gatherling/Views/Components/FullMetagame.php b/gatherling/Views/Components/FullMetagame.php
index a32ea8c40..eb2ef8188 100644
--- a/gatherling/Views/Components/FullMetagame.php
+++ b/gatherling/Views/Components/FullMetagame.php
@@ -46,16 +46,16 @@ public function __construct(Event $event)
             $players[] = $info;
         }
         $sql = '
-            CREATE TEMPORARY TABLE meta
-                (
-                    player VARCHAR(40),
-                    deckname VARCHAR(120),
-                    archetype VARCHAR(20),
-                    colors VARCHAR(10),
-                    medal VARCHAR(10),
-                    id BIGINT UNSIGNED,
-                    srtordr TINYINT UNSIGNED DEFAULT 0
-                )';
+            CREATE TEMPORARY TABLE meta (
+                player    VARCHAR(40),
+                deckname  VARCHAR(120),
+                archetype VARCHAR(20),
+                colors    VARCHAR(10),
+                medal     VARCHAR(10),
+                id        BIGINT UNSIGNED,
+                srtordr   TINYINT UNSIGNED DEFAULT 0
+            )
+            CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci';
         db()->execute($sql);
         $sql = '
             INSERT INTO meta

From e8b373f90804126cefc246b56f9acf5d61df4353 Mon Sep 17 00:00:00 2001
From: Thomas David Baker <bakert@gmail.com>
Date: Mon, 25 Nov 2024 11:07:33 -0800
Subject: [PATCH 3/3] Fix error in API when accessing details about a series
 with no season

---
 gatherling/Models/Series.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gatherling/Models/Series.php b/gatherling/Models/Series.php
index 9d3c95cd8..a1705a47e 100644
--- a/gatherling/Models/Series.php
+++ b/gatherling/Models/Series.php
@@ -24,7 +24,7 @@ class Series
     public array $bannedplayers;
     public ?string $mtgo_room;
 
-    public ?string $this_season_format;
+    public ?string $this_season_format = null;
     public ?string $this_season_master_link = null;
     public int $this_season_season;