monthly hours Time Total corrupted

[AndrewP]

I've been using an old version of Timetrex on a linux box here for many years and it's been working well for keeping track of in and out punches for our small group month after month.
We use the normal in and out punches, and sometimes the admin adds missed punches manually, and sometime adds many using the old Mass Punch feature.

At the bottom of the My Hours Log screen (accessible from MyTimeSheet) it shows the Total Time worked for the current month.

Everything was going fine until this week. After 2 months of punches being added as a Mass Punch for one worker, things became screwed up so that for all workers, the Total Time hours from Aug, Sep, and Oct are added together instead of being separated correctly to show only the Total Time of the current month.

I waited a few days to see if this would somehow self-correct and it hasn't. Can someone suggest something to try that will fix the month boundaries back to normal so that it shows the Total Time from the current month and not the sum of the current month and the previous two months? Is there a recovery utility or maintenance script that might fix this?

Here is a link to a screenshot showing the problem:

https://drive.google.com/file/d/1jJ2otB ... drive_link

Yes, it's embarrassingly old, but it's a tribute to the software that it has worked well for all these years and nothing has changed. I'm guessing the database structure is similar for many other versions, so any tips to address this for any version will give me a place to start.
Product Edition: Standard
Version: 3.0.4

In case it's useful: Verifying some unverified past months and Approving the verification from the admin account didn't fix the problem.

Thanks!

[AndrewP]

Since no human helped me, fortunately Grok AI did.
Somehow new pay periods did not get created during my mass punch, although this hadn't happened before. So, I had to create the September and October pay periods manually after logging into the timetrex database using psql:
su
cd /home/myname/Timetrex/postgresql/bin/
./psql timetrex
INSERT INTO pay_period (company_id, pay_period_schedule_id, is_primary, deleted, tainted, start_date, end_date, status_id) VALUES(1,1,1,0,0,'2025-09-01'::timestamp,'2025-09-30'::timestamp, 10);
INSERT INTO pay_period (company_id, pay_period_schedule_id, is_primary, deleted, tainted, start_date, end_date, status_id) VALUES(1,1,1,0,0,'2025-10-01'::timestamp,'2025-10-31'::timestamp, 10);

This created pay period with id of 211 and 212:
timetrex=# SELECT id, start_date, end_date, status_id FROM pay_period WHERE end_date >= '2025-08-01'::timestamp;
id | start_date | end_date | status_id
-----+---------------------+---------------------+-----------
208 | 2025-08-01 00:00:00 | 2025-08-31 23:59:59 | 10
211 | 2025-09-01 00:00:00 | 2025-09-30 00:00:00 | 10
212 | 2025-10-01 00:00:00 | 2025-10-31 00:00:00 | 10

Then I had to manually UPDATE the user_date info to fall into the correct new pay period:
timetrex=# UPDATE user_date SET pay_period_id = 211 WHERE date_stamp >= '2025-09-01'::date AND date_stamp < '2025-10-01'::date;
timetrex=# UPDATE user_date SET pay_period_id = 212 WHERE date_stamp >= '2025-10-01'::date AND date_stamp < '2025-11-01'::date;

Finally, this optional command was recommended to clean things up:
timetrex=# VACUUM ANALYZE user_date; VACUUM ANALYZE punch_control;

Grok was very helpful, but made lots of mistakes, so the above took about 5 hours of real-time. It didn't help that I had no prior experience with sql or postgressql, or that grok had to really dig for information about TimeTrex 3.0.4 I hope this post helps someone else. It's disappointing that TimeTrex has moved to cloud-only and doesn't want to support their original very useful product. We specifically want the program on our local network only so that people can't punch in or out unless they are on site.

[mikeb]

It looks like you’re running an extremely old version of TimeTrex, and the issue you’re seeing was fixed more than a decade ago. Upgrading to a current version should prevent this from happening again. The workaround you’ve applied will likely break several other things and require ongoing manual corrections, if they can be reasonably fixed at all now.

I also want to flag an important security concern: the extremely old TimeTrex version in use, the third-party libraries it depends on, and the versions of underlying stack components such as PHP all contain known security vulnerabilities. Keeping the system on a local network does not eliminate those risks. It is trivial for an attacker to exploit these flaws simply because one of your employees visits a malicious website on the public internet, so patching and updating are critical.

Running software with known vulnerabilities can also be viewed as negligent in the eyes of a court if a breach occurs, putting your organization at substantial legal and financial risk for failing to take reasonable preventive measures. Considering the relatively small effort and cost involved in performing regular updates, it’s simply not worth risking the security and stability of your entire organization. This is especially true in states like California, where privacy and data security laws impose stricter obligations and can expose businesses to significant statutory damages for preventable breaches, particularly when employee data is involved.

Finally, for what it’s worth, our cloud-hosted editions all include a range of built-in controls to restrict where employees can punch in or out from, so running the system on-site is not required to achieve that whatsoever.

[AndrewP]

Hi Mike,
Thanks for your info. Followup questions:
1) Which local version options do you recommend for upgrading and where can I download them? Of these, which can use or import the employee and punch data from 3.0.4 and how would that be accomplished? Links to this info would be awesome! Also, I'd like to migrate from the old linux box to a new raspberry Pi, so and installer that can build what's needed for ARM on a debian offshoot would be most useful.

2) I guess I'll see what happens next week. I'll see if it can automatically add the November pay period and leave the October pay period hours as there own total. Whatever the bug is, it sure is sporadic.... we've been using this installation and the mass punch feature for over 20 years and this is the first time that things got messed up. I like the mass punch feature and once tried to download and install a newer version of TimeTrex, but this feature was missing and I couldn't figure out where in the code to add back a date range along with days of the week selection to the single punch it has available. We want to sometimes mass punch a whole month, but only weekdays. 3.0.4 allows this

3)Regarding the security issues, let me know what you think based on this: TimeTrex is running on an old linux box behind our router firewall and it is the only thing running on there and no one browses the internet from that computer. I think the only possible outgoing connections from that computer is that it may ping your server because if I go the About page it shows this year under the copyright notice. I can't remember if it checks a timeserver to sync its clock... I think even that is disabled. Also, only TimeTrex uses the php and prostgres sql that were co-installed. Anything else would use the system php.

[mikeb]

My apologies, I should have clarified that upgrading to a newer version years ago would have resolved this issue. Unfortunately, there is no supported upgrade path from a version as old as the one you’re running. TimeTrex has only ever officially supported upgrades from versions released within roughly the past year.

Regarding security, even if your TimeTrex server has no web browser installed and isn’t running any other services, it can still be exposed to significant risks. Any employee on your network using their own computer could visit a malicious website that attempts to exploit known vulnerabilities on your server simply because the TimeTrex application is active and accepting connections. In other words, just as your employees access TimeTrex through their web browsers, a malicious website can do the same, using the employee’s browser as the intermediary, without any user action or awareness.

It’s also a common misconception that having a firewall keeps systems secure because they are not directly accessible from the public internet. In reality, a firewall offers limited protection when a single employee visiting a compromised website for even a moment can allow malicious code to run inside their browser, which is behind the firewall. JavaScript, executed in the web browser is enough to deliver attack payloads to any internal system the employee’s browser can reach, including your TimeTrex server. This can definitely lead to arbitrary code execution or compromise of internal resources, even without the employee realizing anything happened. This is not unique to TimeTrex of course, its the same with any service accessible over a network, local or wide area.

[AndrewP]

Thanks, that's great information about security.

Regarding upgrading, which local version options do you recommend for upgrading and where can I download them?
Links to this info would be awesome!
Also, I'd like to migrate from the old linux box to a new raspberry Pi, so a link to a package / installer that can build what's needed for ARM on a debian offshoot would be most useful. Is there a an apt-get that will install some versions?