$errors = array(); // Write the form variables into an array: foreach ($_REQUEST as $varname => $value) { $formVars[$varname] = trim($value); } // remove any leading or trailing whitespace from the field's contents & copy the trimmed string to the '$formVars' array // $formVars[$varname] = trim(clean($value, 50)); // the use of the clean function would be more secure! // -------------------------------------------------------------------- // Extract form variables: // Note: Although we could use the '$formVars' array directly below (e.g.: $formVars['origRecord'] etc., like in 'user_validation.php'), we'll read out // all variables individually again. This is done to enhance readability. (A smarter way of doing so seems be the use of the 'extract()' function, but that // may expose yet another security hole...) // First of all, check if this script was called by something else than 'duplicate_manager.php': if (!preg_match("#/duplicate_manager\\.php#i", $referer)) { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_InvalidCallToScript"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' header("Location: " . $referer); // redirect to calling page exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // Extract the form used by the user: $formType = $formVars['formType']; // Extract the view type requested by the user (either 'Mobile', 'Print', 'Web' or ''): // ('' will produce the default 'Web' output style) if (isset($formVars['viewType'])) { $viewType = $formVars['viewType']; } else { $viewType = ""; }
$rowOffset = $_REQUEST['startRecord'] - 1; } else { $rowOffset = ""; } // if no value to the 'startRecord' parameter is given, we'll output records starting with the first record in the result set if (isset($_REQUEST['recordSchema'])) { // contains the desired response format; currently, 'rss.php' will only recognize 'rss' (outputs RSS 2.0), future versions may also allow for 'atom' $recordSchema = $_REQUEST['recordSchema']; } else { $recordSchema = "rss"; } // if no particular response format was requested we'll output found results as RSS 2.0 // Check the correct parameters have been passed: if (empty($queryWhereClause)) { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_IncorrectOrMissingParams"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' // Redirect the browser back to the calling page: header("Location: " . $referer); // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php' exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } else { $sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause); // attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php') } // -------------------------------------------------------------------- // If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :) // CONSTRUCT SQL QUERY: // Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the // 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns
function indentTag($depth) { // if Indent is desired ... if ($depth > 0) { $size = @getImageSize(SCRIPT_DIR . ICON_INDENT); // ... emit the HTML echo "<img src=\"" . scriptURL(ICON_INDENT) . "\" width=\"" . $size[0] * $depth . "\" height=\"" . $size[1] . "\">"; } }
function showLogin() { global $loginEmail; global $loginWelcomeMsg; global $loginFirstName; global $loginLastName; global $abbrevInstitution; global $loginUserID; global $loginStatus; global $loginLinks; global $adminLoginEmail; // ('$adminLoginEmail' is specified in 'ini.inc.php') global $loc; // '$loc' is made globally available in 'core.php' // $referer = $_SERVER["REQUEST_URI"]; // 'REQUEST_URI' does only seem to work for GET requests (but not for POST requests!) ?:-/ // so, as a workaround, we build an appropriate query string from scratch (which will also work for POST requests): // --- BEGIN WORKAROUND --- global $formType; global $displayType; global $queryURL; global $showQuery; global $showLinks; global $showRows; global $rowOffset; global $citeStyle; global $citeOrder; global $orderBy; global $recordAction; global $serialNo; global $headerMsg; global $errorNo; global $errorMsg; // Get the path to the currently executing script, relative to the document root: $scriptURL = scriptURL(); // Extract checkbox variable values from the request: if (isset($_REQUEST['marked'])) { $recordSerialsArray = $_REQUEST['marked']; } else { $recordSerialsArray = ""; } $recordSerialsString = ""; // initialize variable // join array elements: if (!empty($recordSerialsArray)) { // the user did check some checkboxes $recordSerialsString = implode("&marked[]=", $recordSerialsArray); } // prefix each record serial (except the first one) with "&marked[]=" $recordSerialsString = "&marked[]=" . $recordSerialsString; // prefix also the very first record serial with "&marked[]=" // based on the refering script we adjust the parameters that get included in the link: if (preg_match("#/(index|install|update|simple_search|advanced_search|sql_search|library_search|duplicate_manager|duplicate_search|opensearch|query_history|extract|users|user_details|user_receipt)\\.php#i", $scriptURL)) { $referer = $scriptURL; } elseif (preg_match("#/user_options\\.php#i", $scriptURL)) { $referer = $scriptURL . "?" . "userID=" . $loginUserID; } elseif (preg_match("#/(record|receipt)\\.php#i", $scriptURL)) { $referer = $scriptURL . "?" . "recordAction=" . $recordAction . "&serialNo=" . $serialNo . "&headerMsg=" . rawurlencode($headerMsg); } elseif (preg_match("#/error\\.php#i", $scriptURL)) { $referer = $scriptURL . "?" . "errorNo=" . $errorNo . "&errorMsg=" . rawurlencode($errorMsg) . "&headerMsg=" . rawurlencode($headerMsg); } else { $referer = $scriptURL . "?" . "formType=" . "sqlSearch" . "&submit=" . $displayType . "&headerMsg=" . rawurlencode($headerMsg) . "&sqlQuery=" . $queryURL . "&showQuery=" . $showQuery . "&showLinks=" . $showLinks . "&showRows=" . $showRows . "&rowOffset=" . $rowOffset . $recordSerialsString . "&citeStyle=" . rawurlencode($citeStyle) . "&citeOrder=" . $citeOrder . "&orderBy=" . rawurlencode($orderBy); } // --- END WORKAROUND ----- // Is the user logged in? if (isset($_SESSION['loginEmail'])) { $loginStatus = $loc["Welcome"]; $loginWelcomeMsg = "<em>" . encodeHTML($loginFirstName) . " " . encodeHTML($loginLastName) . "</em>!"; if ($loginEmail == $adminLoginEmail) { $loginStatus .= " <span class=\"warning\">" . $loc["Admin"] . "</span>"; } $loginLinks = ""; if ($loginEmail == $adminLoginEmail) { $loginLinks .= "<a href=\"user_details.php\" title=\"add a user to the database\">Add User</a> | "; $loginLinks .= "<a href=\"users.php\" title=\"manage user data\">Manage Users</a> | "; } else { $loginLinks .= "<a href=\"search.php?formType=myRefsSearch&showQuery=0&showLinks=1&myRefsRadio=1\"" . addAccessKey("attribute", "my_refs") . " title=\"" . $loc["LinkTitle_MyRefs"] . addAccessKey("title", "my_refs") . "\">" . $loc["MyRefs"] . "</a> | "; if (isset($_SESSION['user_permissions']) and preg_match("/allow_modify_options/", $_SESSION['user_permissions'])) { // if the 'user_permissions' session variable contains 'allow_modify_options'... // ... include a link to 'user_receipt.php': $loginLinks .= "<a href=\"user_receipt.php?userID=" . $loginUserID . "\"" . addAccessKey("attribute", "my_opt") . " title=\"" . $loc["LinkTitle_Options"] . addAccessKey("title", "my_opt") . "\">" . $loc["Options"] . "</a> | "; } } $loginLinks .= "<a href=\"user_logout.php?referer=" . rawurlencode($referer) . "\"" . addAccessKey("attribute", "login") . " title=\"" . $loc["LinkTitle_Logout"] . addAccessKey("title", "login") . "\">" . $loc["Logout"] . "</a>"; } else { if (preg_match("#.*(record|import[^.]*)\\.php#i", $scriptURL)) { $loginStatus = "<span class=\"warning\">" . $loc["Warning_LoginToSubmitForm"] . "!</span>"; } else { $loginStatus = ""; } $loginWelcomeMsg = ""; $loginLinks = "<a href=\"user_login.php?referer=" . rawurlencode($referer) . "\"" . addAccessKey("attribute", "login") . " title=\"" . $loc["LinkTitle_Login"] . addAccessKey("title", "login") . "\">" . $loc["Login"] . "</a>"; } // Although the '$referer' variable gets included as GET parameter above, we'll also save the variable as session variable: // (this should help re-directing to the correct page if a user called 'user_login/logout.php' manually, i.e., without parameters) saveSessionVariable("referer", $referer); }
$helpResourcesURL = "http://www.refbase.net/"; // e.g. "http://www.refbase.net/" // Specify whether announcements should be sent to the email address given in '$mailingListEmail': // If $sendEmailAnnouncements = "yes", a short info will be mailed to the email address specified // in $mailingListEmail if a new record has been added to the database. $sendEmailAnnouncements = "no"; // possible values: "yes", "no" // The mailing list email address to which any announcements should be sent: $mailingListEmail = "*****@*****.**"; // temporary. Real: eriala.keeleteadus@lists.ut.ee // The base URL for this literature database (i.e., the URL to the refbase root directory where // your refbase scripts are located): // It will be used within RSS feeds and when sending notification emails to database users. // The base URL is auto-generated by the code below. Enter a literal URL if this doesn't work for // you. $databaseBaseURL = preg_replace('#[^/]*$#', '', 'http://' . $_SERVER['HTTP_HOST'] . scriptURL(), 1); // e.g. "http://polaris.ipoe.uni-kiel.de/refs/" // The keywords/tags that describe or categorize the content of this literature database: // These keywords/tags should be single words delimited by a space character. They'll be // included on every HTML page (in the <head> section) as well as in the OpenSearch description // document. A good selection of keywords may help to increase search engine visibility. $databaseKeywords = "finno-ugric academic literature scientific references publication search citation bibliography database"; // e.g. "academic literature refbase" // The character encoding that's used as content-type for HTML, RSS and email output: // IMPORTANT NOTES: - the encoding type specified here must match the default character set you've // chosen on install for your refbase MySQL database & tables! // - plus, the character encoding of this file ('ini.inc.php') MUST match the // encoding type specified in '$contentTypeCharset'! This means, if you're going to // use "UTF-8", you must re-save this file with encoding "Unicode (UTF-8, no BOM)". $contentTypeCharset = "UTF-8"; // possible values: "ISO-8859-1", "UTF-8"