// set variable to zero (a user with '$userID = 0' definitely doesn't exist) in order to prevent 'Undefined variable...' messages // -------------------------------------------------------------------- // CONSTRUCT SQL QUERY from user input provided by any of the search forms: // --- Form 'sql_search.php': ------------------ if ($formType == "sqlSearch") { // verify the SQL query specified by the user and modify it if security concerns are encountered: // (this function does add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query) $query = verifySQLQuery($sqlQuery, $referer, $displayType, $showLinks); // function 'verifySQLQuery()' is defined in 'include.inc.php' (since it's also used by 'rss.php') } elseif ($formType == "duplicateSearch") { // find duplicate records within results of the given SQL query (using settings extracted from the 'duplicateSearch' form // in 'duplicate_search.php') and return a modified database query that only matches these duplicate entries: list($sqlQuery, $displayType) = findDuplicates($sqlQuery, $originalDisplayType); // by passing the generated SQL query thru the 'verifySQLQuery()' function we ensure that necessary fields are added as needed: // (this function does add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query) $query = verifySQLQuery($sqlQuery, $referer, $displayType, $showLinks); // function 'verifySQLQuery()' is defined in 'include.inc.php' (since it's also used by 'rss.php') } elseif ($formType == "simpleSearch") { $query = extractFormElementsSimple($showLinks, $userID); } elseif ($formType == "librarySearch") { $query = extractFormElementsLibrary($showLinks, $userID); } elseif ($formType == "advancedSearch") { $query = extractFormElementsAdvanced($showLinks, $loginEmail, $userID); } elseif ($formType == "refineSearch" or $formType == "displayOptions") { list($query, $displayType) = extractFormElementsRefineDisplay($tableRefs, $displayType, $originalDisplayType, $sqlQuery, $showLinks, $citeOrder, $userID); // function 'extractFormElementsRefineDisplay()' is defined in 'include.inc.php' since it's also used by 'users.php' } elseif ($formType == "queryResults") { list($query, $displayType) = extractFormElementsQueryResults($displayType, $originalDisplayType, $showLinks, $citeOrder, $orderBy, $userID, $sqlQuery, $referer, $recordSerialsArray, $recordsSelectionRadio); } elseif ($formType == "extractSearch") { $query = extractFormElementsExtract($showLinks, $citeOrder, $userID); } elseif ($formType == "myRefsSearch") {
} // -------------------------------------------------------------------- // If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :) // CONSTRUCT SQL QUERY: // Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the // 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns // as required. Therefore it's sufficient to provide just the plain SQL query here: $sqlQuery = buildSELECTclause("RSS", "1", "", false, false); // function 'buildSELECTclause()' is defined in 'include.inc.php' $sqlQuery .= " FROM {$tableRefs} WHERE " . $sanitizedWhereClause; // add FROM clause and the specified WHERE clause $sqlQuery .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC"; // sort records such that newly added/edited records get listed top of the list // since a malicious user could change the 'where' parameter manually to gain access to user-specific data of other users, we'll run the SQL query thru the 'verifySQLQuery()' function: // (this function does also add/remove user-specific query code as required and will fix problems with escape sequences within the SQL query) $query = verifySQLQuery($sqlQuery, "", "RSS", "1"); // function 'verifySQLQuery()' is defined in 'include.inc.php' // the 'verifySQLQuery()' function will save an error message to the 'HeaderString' session variable if something went wrong (e.g., if a user who's NOT logged in tries to query user specific fields) if (isset($_SESSION['HeaderString'])) { header("Location: index.php"); // redirect to main page ('index.php') which will display the error message stored within the 'HeaderString' session variable exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } // -------------------------------------------------------------------- // (1) OPEN CONNECTION, (2) SELECT DATABASE connectToMySQLDatabase(); // function 'connectToMySQLDatabase()' is defined in 'include.inc.php' // -------------------------------------------------------------------- // (3) RUN the query on the database through the connection: $result = queryMySQLDatabase($query);