if (count($or_array) > 0) {
$sql .= "(" . implode(" OR ", $or_array) . ")";
} else {
$sql .= "FALSE";
}
} elseif ($field_natures[$key] == 'boolean' || $field_natures[$key] == 'integer' && isset($field_lengths[$key]) && $field_lengths[$key] <= 2) {
if (!empty(${$var})) {
$sql .= " AND E.{$key}!=0";
}
} elseif ($field_natures[$key] == 'integer' && isset($field_lengths[$key]) && $field_lengths[$key] > 2) {
if (isset(${$var}) && ${$var} !== '') {
$sql .= " AND E.{$key}=" . ${$var};
}
} else {
if (!empty(${$var})) {
$sql .= " AND" . sql_syntax_caseless_contains("E.{$key}", ${$var});
}
}
}
// If we're not an admin (they are allowed to see everything), then we need
// to make sure we respect the privacy settings. (We rely on the privacy fields
// in the area table being not NULL. If they are by some chance NULL, then no
// entries will be found, which is at least safe from the privacy viewpoint)
if (!$is_admin) {
if (isset($user)) {
// if the user is logged in they can see:
// - all bookings, if private_override is set to 'public'
// - their own bookings, and others' public bookings if private_override is set to 'none'
// - just their own bookings, if private_override is set to 'private'
$sql .= " AND ((A.private_override='public') OR\n (A.private_override='none' AND ((E.status&" . STATUS_PRIVATE . "=0) OR E.create_by = '" . sql_escape($user) . "')) OR\n (A.private_override='private' AND E.create_by = '" . sql_escape($user) . "'))";
} else {
$sql .= "(" . implode(" OR ", $or_array) . ")";
} else {
$sql .= "e.type = '" . addslashes($typematch[0]) . "'";
}
}
if (!empty($namematch)) {
// sql_syntax_caseless_contains() does the SQL escaping
$sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch);
}
if (!empty($descrmatch)) {
// sql_syntax_caseless_contains() does the SQL escaping
$sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch);
}
if (!empty($creatormatch)) {
// sql_syntax_caseless_contains() does the SQL escaping
$sql .= " AND" . sql_syntax_caseless_contains("e.create_by", $creatormatch);
}
# If not overriding as public entries and user isn't and admin...
if ($private_override != "public" && !$is_admin) {
if (isset($user)) {
if ($private_override == "private") {
$sql .= " AND e.create_by = '" . addslashes($user) . "'";
} else {
$sql .= " AND (e.create_by = '" . addslashes($user) . "' OR e.private=0)";
}
} else {
# un-authenticated users can only report on
# items which are not marked private
$sql .= " AND e.private=0";
}
}
// which can include fields that have an associative array of options)
$fields = sql_field_info($tbl_entry);
foreach ($fields as $field) {
if (!in_array($field['name'], $standard_fields['entry'])) {
// If we've got a field that is represented by an associative array of options
// then we have to search for the keys whose values match the search string
if (isset($select_options["entry." . $field['name']]) && is_assoc($select_options["entry." . $field['name']])) {
foreach ($select_options["entry." . $field['name']] as $key => $value) {
// We have to use strpos() rather than stripos() because we cannot
// assume PHP5
if ($key !== '' && strpos(strtolower($value), strtolower($search_str)) !== FALSE) {
$sql_pred .= " OR E." . $field['name'] . "='" . sql_escape($key) . "'";
}
}
} elseif ($field['nature'] == 'character') {
$sql_pred .= " OR " . sql_syntax_caseless_contains("E." . $field['name'], $search_str);
}
}
}
$sql_pred .= ") AND E.end_time > {$now}";
$sql_pred .= " AND E.room_id = R.id AND R.area_id = A.id";
// If we're not an admin (they are allowed to see everything), then we need
// to make sure we respect the privacy settings. (We rely on the privacy fields
// in the area table being not NULL. If they are by some chance NULL, then no
// entries will be found, which is at least safe from the privacy viewpoint)
if (!$is_admin) {
if (isset($user)) {
// if the user is logged in they can see:
// - all bookings, if private_override is set to 'public'
// - their own bookings, and others' public bookings if private_override is set to 'none'
// - just their own bookings, if private_override is set to 'private'
genDateSelector("", $day, $month, $year);
echo "<br><INPUT TYPE=SUBMIT VALUE=\"" . get_vocab("search_button") . "\">";
echo "</FORM>";
include "trailer.inc";
exit;
}
if (!$search_str) {
echo "<H3>" . get_vocab("invalid_search") . "</H3>";
include "trailer.inc";
exit;
}
# now is used so that we only display entries newer than the current time
echo "<H3>" . get_vocab("search_results") . ": \"<font color=\"blue\">{$search_str}</font>\"</H3>\n";
$now = mktime(0, 0, 0, $month, $day, $year);
# This is the main part of the query predicate, used in both queries:
$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_text) . " OR " . sql_syntax_caseless_contains("E.name", $search_text) . " OR " . sql_syntax_caseless_contains("E.description", $search_text) . ") AND E.end_time > {$now}";
# The first time the search is called, we get the total
# number of matches. This is passed along to subsequent
# searches so that we don't have to run it for each page.
if (!isset($total)) {
$total = sql_query1("SELECT count(*) FROM {$tbl_entry} E WHERE {$sql_pred}");
}
if ($total <= 0) {
echo "<B>" . get_vocab("nothing_found") . "</B>\n";
include "trailer.inc";
exit;
}
if (!isset($search_pos) || $search_pos <= 0) {
$search_pos = 0;
} elseif ($search_pos >= $total) {
$search_pos = $total - $total % $search["count"];
# 7 [6] Created by (user name or IP addr), must be HTML escaped
# 8 [7] Creation timestamp, converted to Unix time_t by the database
# 9 [8] Area name, must be HTML escaped
# 10 [9] Room name, must be HTML escaped
$sql = "SELECT e.id, e.start_time, e.end_time, e.name, e.description, " . "e.type, e.create_by, " . sql_syntax_timestamp_to_unix("e.timestamp") . ", a.area_name, r.room_name" . " FROM mrbs_entry e, mrbs_area a, mrbs_room r" . " WHERE e.room_id = r.id AND r.area_id = a.id" . " AND e.start_time < {$report_end} AND e.end_time > {$report_start}";
if (!empty($areamatch)) {
$sql .= " AND" . sql_syntax_caseless_contains("a.area_name", $areamatch);
}
if (!empty($roommatch)) {
$sql .= " AND" . sql_syntax_caseless_contains("r.room_name", $roommatch);
}
if (!empty($namematch)) {
$sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch);
}
if (!empty($descrmatch)) {
$sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch);
}
# Order by Area, Room, Start date/time:
$sql .= " ORDER BY 9,10,2";
# echo "<p>DEBUG: SQL: <tt> $sql </tt>\n";
$res = sql_query($sql);
if (!$res) {
fatal_error(0, sql_error());
}
$nmatch = sql_count($res);
if ($nmatch == 0) {
echo "<P><B>" . $vocab["nothing_found"] . "</B>\n";
sql_free($res);
} else {
$last_area_room = "";
echo "<P><B>" . $nmatch . " " . ($nmatch == 1 ? $vocab["entry_found"] : $vocab["entries_found"]) . "</B>\n";
