// function 'queryMySQLDatabase()' is defined in 'include.inc.php' $affectedRows = $result ? mysql_affected_rows($connection) : 0; // get the number of rows that were modified (or return 0 if an error occurred) if ($affectedRows == 0) { // we'll file this additional error element here so that the 'errors' session variable isn't empty causing 'duplicate_manager.php' to re-load the form data that were submitted by the user $errors["ignoredRecords"] = "all"; // return an appropriate error message: $HeaderString = returnMsg("Nothing was changed by your query!", "warning", "strong", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' // Write back session variables: saveSessionVariable("errors", $errors); // function 'saveSessionVariable()' is defined in 'include.inc.php' saveSessionVariable("formVars", $formVars); // Relocate back to the 'Flag Duplicates' form (script 'duplicate_manager.php'): header("Location: " . $referer); exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // Build correct header message: $HeaderString = returnMsg("The records below have been successfully flagged as original/duplicate records:", "", "", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' // Merge all given record serial numbers: $allRecordSerialsString = $origRecordSerial . "," . implode(",", $dupRecordSerialsArray); // (4) Call 'show.php' which will display all affected records along with the header message // (routing feedback output to a different script page will avoid any reload problems effectively!) header("Location: show.php?records=" . $allRecordSerialsString); // -------------------------------------------------------------------- // (5) CLOSE CONNECTION disconnectFromMySQLDatabase(); // function 'disconnectFromMySQLDatabase()' is defined in 'include.inc.php' // --------------------------------------------------------------------
function fieldError($fieldName, $errors) { if (isset($errors[$fieldName])) { return returnMsg($errors[$fieldName], "warning2", "strong", "", "", "<br>"); } // function 'returnMsg()' is defined in 'include.inc.php' }
// -------------------------------------------------------------------- // START A SESSION: // call the 'start_session()' function (from 'include.inc.php') which will also read out available session variables: start_session(true); // -------------------------------------------------------------------- // Initialize preferred display language: // (note that 'locales.inc.php' has to be included *after* the call to the 'start_session()' function) include 'includes/locales.inc.php'; // include the locales // -------------------------------------------------------------------- // First of all, check if this script was called by something else than 'record.php' (via 'modify.php'): // Notes: - although 'receipt.php' gets actually called by 'modify.php', the referrer will be still set to 'record.php' // - if a user clicks on Login/Logout while viewing a 'receipt.php' page she should get directed back to this receipt page (which is why 'receipt.php' must be also among the recognized referrers) if (!preg_match("/.*(record|receipt)\\.php.*/", $referer)) { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_InvalidCallToScript"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' header("Location: " . $referer); // redirect to calling page exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // [ Extract form variables sent through POST/GET by use of the '$_REQUEST' variable ] // [ !! NOTE !!: for details see <http://www.php.net/release_4_2_1.php> & <http://www.php.net/manual/en/language.variables.predefined.php> ] // Extract the type of action requested by the user (either 'add', 'edit', 'delet' or ''): // ('' will be treated equal to 'add') $recordAction = $_REQUEST['recordAction']; if ("{$recordAction}" == "") { $recordAction = "add"; } // '' will be treated equal to 'add'
function extractFormElementsQueryResults($displayType, $originalDisplayType, $sqlQuery, $recordSerialsArray) { global $tableUsers; // defined in 'db.inc.php' $userGroupActionRadio = $_REQUEST['userGroupActionRadio']; // extract user option whether we're supposed to process an existing group name or any custom/new group name that was specified by the user // Extract the chosen user group from the request: // first, we need to check whether the user did choose an existing group name from the popup menu // -OR- if he/she did enter a custom group name in the text entry field: if ($userGroupActionRadio == "1") { if (isset($_REQUEST['userGroupSelector'])) { $userGroup = $_REQUEST['userGroupSelector']; } else { $userGroup = ""; } } else { if (isset($_REQUEST['userGroupName'])) { $userGroup = $_REQUEST['userGroupName']; } else { $userGroup = ""; } } // extract the specified permission setting: if (isset($_REQUEST['userPermissionSelector'])) { $userPermission = $_REQUEST['userPermissionSelector']; } else { $userPermission = ""; } if (!empty($recordSerialsArray)) { if (preg_match("/^(Add|Remove)\$/", $displayType)) { modifyUserGroups($tableUsers, $displayType, $recordSerialsArray, "", $userGroup); // add (remove) selected records to (from) the specified user group (function 'modifyUserGroups()' is defined in 'include.inc.php') } elseif (preg_match("/^(Allow|Disallow)\$/", $displayType)) { if ($displayType == "Allow") { $userPermissionsArray = array("{$userPermission}" => "yes"); } else { // ($displayType == "Disallow") $userPermissionsArray = array("{$userPermission}" => "no"); } // Update the specified user permission for the current user: $updateSucceeded = updateUserPermissions($recordSerialsArray, $userPermissionsArray); // function 'updateUserPermissions()' is defined in 'include.inc.php' if ($updateSucceeded) { // save an informative message: $HeaderString = returnMsg("User permission <code>{$userPermission}</code> was updated successfully!", "", "", "HeaderString"); } else { // return an appropriate error message: $HeaderString = returnMsg("User permission <code>{$userPermission}</code> could not be updated!", "warning", "strong", "HeaderString"); } } } // re-assign the correct display type if the user clicked the 'Add', 'Remove', 'Allow' or 'Disallow' button of the 'queryResults' form: $displayType = $originalDisplayType; // re-apply the current sqlQuery: $query = preg_replace("/ FROM {$tableUsers}/i", ", user_id FROM {$tableUsers}", $sqlQuery); // add 'user_id' column (which is required in order to obtain unique checkbox names) return array($query, $displayType); }
function extractFormElementsExtract($showLinks, $citeOrder, $userID) { global $tableRefs, $tableUserData; // defined in 'db.inc.php' global $loc; // '$loc' is made globally available in 'core.php' // Extract form elements (that are unique to the 'extract.php' form): $sourceText = $_REQUEST['sourceText']; // get the source text that contains the record serial numbers/cite keys $startDelim = $_REQUEST['startDelim']; // get the start delimiter that precedes record serial numbers/cite keys $endDelim = $_REQUEST['endDelim']; // get the end delimiter that follows record serial numbers/cite keys $startDelim = preg_quote($startDelim); // escape any potential meta-characters $endDelim = preg_quote($endDelim); // escape any potential meta-characters // Extract record serial numbers/cite keys from source text: $sourceText = "_" . $sourceText; // Note: by adding a character at the beginning of '$sourceText' we circumvent a problem with the regex pattern below which will strip everything up to the 2nd serial number/cite key if '$sourceText' starts with '$startDelim' $recordSerialsKeysString = preg_replace("/^.*?(?={$startDelim}.+?{$endDelim}|\$)/s", "", $sourceText); // remove any text preceeding the first serial number/cite key $recordSerialsKeysString = preg_replace("/{$startDelim}(.+?){$endDelim}.*?(?={$startDelim}.+?{$endDelim}|\$)/s", "\\1_#_�_~_", $recordSerialsKeysString); // replace any text between serial numbers/cite keys (or between a serial number/cite key and the end of the text) with "_#_�_~_"; additionally, remove the delimiters enclosing the serial numbers/cite keys // Note: we do a quick'n dirty approach here, by inserting the string "_#_�_~_" as string delimiter between serial numbers/cite keys. Of course, this will only work as long the string "_#_�_~_" doesn't occur within '$sourceText'. $recordSerialsKeysString = preg_replace("/(_#_�_~_)?\n?\$/s", "", $recordSerialsKeysString); // remove any trailing chars (like \n or "_#_�_~_") at end of line $recordSerialsKeysArray = preg_split("/_#_�_~_/", $recordSerialsKeysString, -1, PREG_SPLIT_NO_EMPTY); // split string containing the serial numbers/cite keys on the string delimiter "_#_�_~_" (the 'PREG_SPLIT_NO_EMPTY' flag causes only non-empty pieces to be returned) $recordSerialsKeysArray = array_unique($recordSerialsKeysArray); // remove any duplicate serial numbers/cite keys from the list of extracted record identifiers $recordSerialsArray = array(); $escapedRecordKeysArray = array(); $foundRecordSerialsKeysArray = array(); $missingRecordSerialsKeysArray = array(); foreach ($recordSerialsKeysArray as $recordSerialKey) { if (preg_match("/^\\d+\$/", $recordSerialKey)) { // every identifier which only contains digits is treated as a serial number! (In other words: cite keys must contain at least one non-digit character) $recordSerialsArray[] = $recordSerialKey; } elseif (!empty($recordSerialKey)) { $escapedRecordKey = preg_quote($recordSerialKey); // escape any potential meta-characters within cite key $escapedRecordKeysArray[] = $escapedRecordKey; } } $recordSerialsString = implode("|", $recordSerialsArray); // merge array of serial numbers again into a string, using "|" as delimiter $escapedRecordKeysString = implode("|", $escapedRecordKeysArray); // merge array of cite keys again into a string, using "|" as delimiter // Construct the SQL query: // TODO: build the complete SQL query using functions 'buildFROMclause()' and 'buildORDERclause()' // for the selected records, select all fields that are visible in Citation view: $query = buildSELECTclause("Cite", $showLinks); // function 'buildSELECTclause()' is defined in 'include.inc.php' $query .= " FROM {$tableRefs}"; // add FROM clause if (isset($_SESSION['loginEmail'])) { // if a user is logged in... $query .= " LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID); } // add LEFT JOIN part to FROM clause // add WHERE clause: $query .= " WHERE"; if (!empty($recordSerialsArray) or empty($recordSerialsArray) and empty($escapedRecordKeysArray) or empty($recordSerialsArray) and !isset($_SESSION['loginEmail'])) { // the second condition ensures a valid SQL query if no serial numbers or cite keys were found, same for the third condition if a user isn't logged in and '$sourceText' did only contain cite keys $query .= " serial RLIKE " . quote_smart("^(" . $recordSerialsString . ")\$"); } // add any serial numbers to WHERE clause if (!empty($recordSerialsArray) and (!empty($escapedRecordKeysArray) and isset($_SESSION['loginEmail']))) { $query .= " OR"; } if (!empty($escapedRecordKeysArray) and isset($_SESSION['loginEmail'])) { $query .= " cite_key RLIKE " . quote_smart("^(" . $escapedRecordKeysString . ")\$"); } // add any cite keys to WHERE clause // add ORDER BY clause: if ($citeOrder == "year") { // sort records first by year (descending), then in the usual way: $query .= " ORDER BY year DESC, first_author, author_count, author, title"; } elseif ($citeOrder == "type") { // sort records first by record type (and thesis type), then in the usual way: $query .= " ORDER BY type DESC, thesis DESC, first_author, author_count, author, year, title"; } elseif ($citeOrder == "type-year") { // sort records first by record type (and thesis type), then by year (descending), then in the usual way: $query .= " ORDER BY type DESC, thesis DESC, year DESC, first_author, author_count, author, title"; } elseif ($citeOrder == "creation-date") { // sort records such that newly added/edited records get listed top of the list: $query .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC"; } else { // if any other or no '$citeOrder' parameter is specified, we supply the default ORDER BY pattern (which is suitable for citation in a journal etc.): $query .= " ORDER BY first_author, author_count, author, year, title"; } // Check whether the extracted serial numbers and cite keys exist in the database: $result = queryMySQLDatabase($query); // RUN the query on the database through the connection (function 'queryMySQLDatabase()' is defined in 'include.inc.php') if (@mysql_num_rows($result) > 0) { // Loop over each row in the result set: for ($rowCounter = 0; $row = @mysql_fetch_array($result); $rowCounter++) { if (!in_array($row["serial"], $foundRecordSerialsKeysArray) or !empty($row["cite_key"]) and !in_array($row["cite_key"], $foundRecordSerialsKeysArray)) { // add this record's serial number and cite key to the array of found record serials and cite keys: $foundRecordSerialsKeysArray[] = $row["serial"]; if (!empty($row["cite_key"])) { $foundRecordSerialsKeysArray[] = $row["cite_key"]; } } } } $missingRecordSerialsKeysArray = array_diff($recordSerialsKeysArray, $foundRecordSerialsKeysArray); // get all unique array elements of '$recordSerialsKeysArray' which are not in '$foundRecordSerialsKeysArray' sort($missingRecordSerialsKeysArray); if (!empty($escapedRecordKeysArray) and !isset($_SESSION['loginEmail'])) { // a user can only use cite keys as record identifiers when he's logged in $messageSuffix = "<br>" . $loc["Warning_LoginToUseCiteKeysAsIdentifiers"] . "!"; } else { $messageSuffix = ""; } if (!empty($missingRecordSerialsKeysArray) or !empty($escapedRecordKeysArray) and !isset($_SESSION['loginEmail'])) { // if some record identifiers could not be found in the database -OR- if a user tries to use cite keys while not being logged in // return an appropriate error message: $HeaderString = returnMsg("Following record identifiers could not be found: " . implode(", ", $missingRecordSerialsKeysArray), "warning", "strong", "HeaderString", "", $messageSuffix); } // function 'returnMsg()' is defined in 'include.inc.php' return $query; }
} else { $emailSubject = "New records added to the " . $officialDatabaseName; $emailBodyIntro = $importedRecordsCount . " records have been added to the " . $officialDatabaseName . ":"; $detailsURL = $databaseBaseURL . "show.php?records=" . $recordSerialsQueryString; } $emailBody = $emailBodyIntro . "\n\n added by: " . $loginFirstName . " " . $loginLastName . "\n details: " . $detailsURL . "\n"; sendEmail($emailRecipient, $emailSubject, $emailBody); // function 'sendEmail()' is defined in 'include.inc.php' } if ($importedRecordsCount == 1) { $headerMessage = $importedRecordsCount . " " . $loc["RecordSuccessfullyImported"] . ":"; } else { // $importedRecordsCount > 1 $headerMessage = $importedRecordsCount . " " . $loc["RecordsSuccessfullyImported"] . ":"; } // DISPLAY all newly added records: header("Location: show.php?records=" . $recordSerialsQueryString . "&headerMsg=" . rawurlencode($headerMessage)); } else { // we'll file again this additional error element here so that the 'errors' session variable isn't empty causing 'import_csa.php' to re-load the form data that were submitted by the user $errors["badRecords"] = "all"; // return an appropriate error message: $HeaderString = returnMsg($loc["NoRecordsImported"] . "!", "warning", "strong", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' // Write back session variables: saveSessionVariable("errors", $errors); // function 'saveSessionVariable()' is defined in 'include.inc.php' saveSessionVariable("formVars", $formVars); header("Location: " . $referer); // redirect to the calling page (normally, 'import_csa.php') } // --------------------------------------------------------------------
if (!empty($userID)) { // the 'userID' parameter was specified -> we include user specific fields $query .= " FROM {$tableRefs} LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID); } else { $query .= " FROM {$tableRefs}"; } // add FROM clause // Build WHERE clause: $query .= " WHERE"; $multipleParameters = false; // serial/record: if (!empty($serial)) { // first, check if the user is allowed to display any record details: if (preg_match("/^Display\$/i", $displayType) and isset($_SESSION['user_permissions']) and !preg_match("/allow_details_view/", $_SESSION['user_permissions'])) { // return an appropriate error message: $HeaderString = returnMsg($loc["NoPermission"] . $loc["NoPermission_ForDisplayDetails"] . "!", "warning", "strong", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' if (!preg_match("/^cli/i", $client)) { header("Location: show.php"); } // redirect back to 'show.php' exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } $query .= connectConditionals(); if ($recordConditionalSelector == "is equal to") { $query .= " serial = " . quote_smart($serial); } elseif ($recordConditionalSelector == "is within list") { // replace any non-digit chars with "|": $serial = preg_replace("/\\D+/", "|", $serial); // strip "|" from beginning/end of string (if any):
// w.r.t. to '$_SERVER['HTTP_REFERER']' vs '$referer' see NOTE above exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } } elseif ($queryAction == "add") { // Get the query id that was created: $queryID = @mysql_insert_id($connection); } // find out the unique ID number of the newly created query (Note: this function should be called immediately after the // SQL INSERT statement! After any subsequent query it won't be possible to retrieve the auto_increment identifier value for THIS record!) // update the 'userQueries' session variable: getUserQueries($loginUserID); // function 'getUserQueries()' is defined in 'include.inc.php' // Build correct header message: if ($queryAction == "add") { $HeaderString = $loc["SavedQueryAdded"]; } elseif ($queryAction == "edit") { $HeaderString = $loc["SavedQueryEdited"]; } elseif ($queryAction == "delet") { $HeaderString = $loc["SavedQueryDeleted"]; } $HeaderString = returnMsg($HeaderString, "", "", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' // (4) Call 'index.php' which will display the header message // (routing feedback output to a different script page will avoid any reload problems effectively!) header("Location: index.php"); // -------------------------------------------------------------------- // (5) CLOSE CONNECTION disconnectFromMySQLDatabase(); // function 'disconnectFromMySQLDatabase()' is defined in 'include.inc.php' // --------------------------------------------------------------------
// Get the query URL of the formerly displayed results page: if (isset($_SESSION['oldQuery'])) { $oldQuery = $_SESSION['oldQuery']; } else { $oldQuery = array(); } // Get any saved links to previous search results: if (isset($_SESSION['queryHistory'])) { $queryHistory = $_SESSION['queryHistory']; } else { $queryHistory = array(); } // Check if there's any query history available: if (empty($queryHistory)) { // return an appropriate error message: $HeaderString = returnMsg("No query history available!", "warning", "strong", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' header("Location: " . $referer); // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php' exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // (4) DISPLAY HEADER & RESULTS // (NOTE: Since there's no need to query the database here, we won't perform any of the following: (1) OPEN CONNECTION, (2) SELECT DATABASE, (3) RUN QUERY, (5) CLOSE CONNECTION) // Show the login status: showLogin(); // (function 'showLogin()' is defined in 'include.inc.php') // (4a) DISPLAY header: // Call the 'displayHTMLhead()' and 'showPageHeader()' functions (which are defined in 'header.inc.php'): if ($wrapResults != "0") {
$rowOffset = $_REQUEST['startRecord'] - 1; } else { $rowOffset = ""; } // if no value to the 'startRecord' parameter is given, we'll output records starting with the first record in the result set if (isset($_REQUEST['recordSchema'])) { // contains the desired response format; currently, 'rss.php' will only recognize 'rss' (outputs RSS 2.0), future versions may also allow for 'atom' $recordSchema = $_REQUEST['recordSchema']; } else { $recordSchema = "rss"; } // if no particular response format was requested we'll output found results as RSS 2.0 // Check the correct parameters have been passed: if (empty($queryWhereClause)) { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_IncorrectOrMissingParams"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' // Redirect the browser back to the calling page: header("Location: " . $referer); // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php' exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } else { $sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause); // attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php') } // -------------------------------------------------------------------- // If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :) // CONSTRUCT SQL QUERY: // Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the // 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns
function stripFieldFromSQLQuery($sqlQuery, $field, $issueWarning = true) { // note that, upon multiple warnings, only the last warning message will be displayed // if the given '$field' is part of the SELECT or ORDER BY statement... if (preg_match("/(SELECT |ORDER BY |, *)" . $field . "/i", $sqlQuery)) { // if the 'SELECT' clause contains '$field': if ($issueWarning and preg_match("/SELECT(.(?!FROM))+?" . $field . "/i", $sqlQuery)) { // return an appropriate error message: // note: we don't write out any error message if the given '$field' does only occur within the 'ORDER' clause (but not within the 'SELECT' clause) $HeaderString = returnMsg("Display of '" . $field . "' field was omitted!", "warning", "strong", "HeaderString"); } $sqlQuery = preg_replace("/(SELECT|ORDER BY) " . $field . "( DESC)?/i", "\\1 ", $sqlQuery); // ...delete '$field' from beginning of 'SELECT' or 'ORDER BY' clause $sqlQuery = preg_replace("/, *" . $field . "( DESC)?/i", "", $sqlQuery); // ...delete any other occurrences of '$field' from 'SELECT' or 'ORDER BY' clause $sqlQuery = preg_replace("/(SELECT|ORDER BY) *, */i", "\\1 ", $sqlQuery); // ...remove any field delimiters that directly follow the 'SELECT' or 'ORDER BY' terms $sqlQuery = preg_replace("/SELECT *(?=FROM)/i", buildSELECTclause("", "", "", false, false) . " ", $sqlQuery); // ...supply generic 'SELECT' clause if it did ONLY contain the given '$field' $sqlQuery = preg_replace("/ORDER BY *(?=LIMIT|GROUP BY|HAVING|PROCEDURE|FOR UPDATE|LOCK IN|\$)/i", "ORDER BY author, year DESC, publication", $sqlQuery); // ...supply generic 'ORDER BY' clause if it did ONLY contain the given '$field' } // if the given '$field' is part of the WHERE clause... if (preg_match("/WHERE.+" . $field . "/i", $sqlQuery)) { // Note: in the patterns below we'll attempt to account for parentheses but this won't catch all cases! $sqlQuery = preg_replace("/WHERE( *\\( *?)* *" . $field . ".+?(?= (AND|OR)\\b| ORDER BY| LIMIT| GROUP BY| HAVING| PROCEDURE| FOR UPDATE| LOCK IN|\$)/i", "WHERE\\1", $sqlQuery); // ...delete '$field' from 'WHERE' clause $sqlQuery = preg_replace("/( *\\( *?)*( *(AND|OR)\\b)? *" . $field . ".+?(?=( *\\) *?)* +((AND|OR)\\b|ORDER BY|LIMIT|GROUP BY|HAVING|PROCEDURE|FOR UPDATE|LOCK IN|\$))/i", "\\1", $sqlQuery); // ...delete '$field' from 'WHERE' clause $sqlQuery = preg_replace("/WHERE( *\\( *?)* *(AND|OR)\\b/i", "WHERE\\1", $sqlQuery); // ...delete any superfluous 'AND' that wasn't removed properly by the two regex patterns above $sqlQuery = preg_replace("/WHERE( *\\( *?)*(?= ORDER BY| LIMIT| GROUP BY| HAVING| PROCEDURE| FOR UPDATE| LOCK IN|\$)/i", "WHERE serial RLIKE \".+\"", $sqlQuery); // ...supply generic 'WHERE' clause if it did ONLY contain the given '$field' if ($issueWarning) { // return an appropriate error message: $HeaderString = returnMsg("Querying of '" . $field . "' field was omitted!", "warning", "strong", "HeaderString"); } } return $sqlQuery; }
$formVars = array(); } // initialize variable (in order to prevent 'Undefined index/variable...' messages) // The current values of the session variables 'errors' and 'formVars' get stored in '$errors' or '$formVars', respectively. (either automatically if // register globals is ON, or explicitly if register globals is OFF [by uncommenting the code above]). // We need to clear these session variables here, since they would otherwise be still there on a subsequent call of 'duplicate_manager.php'! // Note: though we clear the session variables, the current error message (or form variables) is still available to this script via '$errors' (or '$formVars', respectively). deleteSessionVariable("errors"); // function 'deleteSessionVariable()' is defined in 'include.inc.php' deleteSessionVariable("formVars"); // -------------------------------------------------------------------- // TODO: enable checking for 'allow_flag_duplicates' permission // CAUTION: Since there's not a 'allow_flag_duplicates' permission setting (yet), we currently just check whether a user is logged in! if (!isset($_SESSION['loginEmail'])) { // return an appropriate error message: $HeaderString = returnMsg($loc["NoPermission"] . $loc["NoPermission_ForFlagDups"] . "!", "warning", "strong", "HeaderString"); // function 'returnMsg()' is defined in 'include.inc.php' // save the URL of the currently displayed page: $referer = $_SERVER['HTTP_REFERER']; // Write back session variables: saveSessionVariable("referer", $referer); // function 'saveSessionVariable()' is defined in 'include.inc.php' header("Location: index.php"); exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // Extract the view type requested by the user (either 'Mobile', 'Print', 'Web' or ''): // ('' will produce the default 'Web' output style) if (isset($_REQUEST['viewType'])) { $viewType = $_REQUEST['viewType'];