$errors = array();
// Write the form variables into an array:
foreach ($_REQUEST as $varname => $value) {
$formVars[$varname] = trim($value);
}
// remove any leading or trailing whitespace from the field's contents & copy the trimmed string to the '$formVars' array
// $formVars[$varname] = trim(clean($value, 50)); // the use of the clean function would be more secure!
// --------------------------------------------------------------------
// Extract form variables:
// Note: Although we could use the '$formVars' array directly below (e.g.: $formVars['origRecord'] etc., like in 'user_validation.php'), we'll read out
// all variables individually again. This is done to enhance readability. (A smarter way of doing so seems be the use of the 'extract()' function, but that
// may expose yet another security hole...)
// First of all, check if this script was called by something else than 'duplicate_manager.php':
if (!preg_match("#/duplicate_manager\\.php#i", $referer)) {
// return an appropriate error message:
$HeaderString = returnMsg($loc["Warning_InvalidCallToScript"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString");
// functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php'
header("Location: " . $referer);
// redirect to calling page
exit;
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
}
// Extract the form used by the user:
$formType = $formVars['formType'];
// Extract the view type requested by the user (either 'Mobile', 'Print', 'Web' or ''):
// ('' will produce the default 'Web' output style)
if (isset($formVars['viewType'])) {
$viewType = $formVars['viewType'];
} else {
$viewType = "";
}
$rowOffset = $_REQUEST['startRecord'] - 1;
} else {
$rowOffset = "";
}
// if no value to the 'startRecord' parameter is given, we'll output records starting with the first record in the result set
if (isset($_REQUEST['recordSchema'])) {
// contains the desired response format; currently, 'rss.php' will only recognize 'rss' (outputs RSS 2.0), future versions may also allow for 'atom'
$recordSchema = $_REQUEST['recordSchema'];
} else {
$recordSchema = "rss";
}
// if no particular response format was requested we'll output found results as RSS 2.0
// Check the correct parameters have been passed:
if (empty($queryWhereClause)) {
// return an appropriate error message:
$HeaderString = returnMsg($loc["Warning_IncorrectOrMissingParams"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString");
// functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php'
// Redirect the browser back to the calling page:
header("Location: " . $referer);
// variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php'
exit;
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
} else {
$sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause);
// attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php')
}
// --------------------------------------------------------------------
// If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :)
// CONSTRUCT SQL QUERY:
// Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the
// 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns
function indentTag($depth)
{
// if Indent is desired ...
if ($depth > 0) {
$size = @getImageSize(SCRIPT_DIR . ICON_INDENT);
// ... emit the HTML
echo "<img src=\"" . scriptURL(ICON_INDENT) . "\" width=\"" . $size[0] * $depth . "\" height=\"" . $size[1] . "\">";
}
}
function showLogin()
{
global $loginEmail;
global $loginWelcomeMsg;
global $loginFirstName;
global $loginLastName;
global $abbrevInstitution;
global $loginUserID;
global $loginStatus;
global $loginLinks;
global $adminLoginEmail;
// ('$adminLoginEmail' is specified in 'ini.inc.php')
global $loc;
// '$loc' is made globally available in 'core.php'
// $referer = $_SERVER["REQUEST_URI"]; // 'REQUEST_URI' does only seem to work for GET requests (but not for POST requests!) ?:-/
// so, as a workaround, we build an appropriate query string from scratch (which will also work for POST requests):
// --- BEGIN WORKAROUND ---
global $formType;
global $displayType;
global $queryURL;
global $showQuery;
global $showLinks;
global $showRows;
global $rowOffset;
global $citeStyle;
global $citeOrder;
global $orderBy;
global $recordAction;
global $serialNo;
global $headerMsg;
global $errorNo;
global $errorMsg;
// Get the path to the currently executing script, relative to the document root:
$scriptURL = scriptURL();
// Extract checkbox variable values from the request:
if (isset($_REQUEST['marked'])) {
$recordSerialsArray = $_REQUEST['marked'];
} else {
$recordSerialsArray = "";
}
$recordSerialsString = "";
// initialize variable
// join array elements:
if (!empty($recordSerialsArray)) {
// the user did check some checkboxes
$recordSerialsString = implode("&marked[]=", $recordSerialsArray);
}
// prefix each record serial (except the first one) with "&marked[]="
$recordSerialsString = "&marked[]=" . $recordSerialsString;
// prefix also the very first record serial with "&marked[]="
// based on the refering script we adjust the parameters that get included in the link:
if (preg_match("#/(index|install|update|simple_search|advanced_search|sql_search|library_search|duplicate_manager|duplicate_search|opensearch|query_history|extract|users|user_details|user_receipt)\\.php#i", $scriptURL)) {
$referer = $scriptURL;
} elseif (preg_match("#/user_options\\.php#i", $scriptURL)) {
$referer = $scriptURL . "?" . "userID=" . $loginUserID;
} elseif (preg_match("#/(record|receipt)\\.php#i", $scriptURL)) {
$referer = $scriptURL . "?" . "recordAction=" . $recordAction . "&serialNo=" . $serialNo . "&headerMsg=" . rawurlencode($headerMsg);
} elseif (preg_match("#/error\\.php#i", $scriptURL)) {
$referer = $scriptURL . "?" . "errorNo=" . $errorNo . "&errorMsg=" . rawurlencode($errorMsg) . "&headerMsg=" . rawurlencode($headerMsg);
} else {
$referer = $scriptURL . "?" . "formType=" . "sqlSearch" . "&submit=" . $displayType . "&headerMsg=" . rawurlencode($headerMsg) . "&sqlQuery=" . $queryURL . "&showQuery=" . $showQuery . "&showLinks=" . $showLinks . "&showRows=" . $showRows . "&rowOffset=" . $rowOffset . $recordSerialsString . "&citeStyle=" . rawurlencode($citeStyle) . "&citeOrder=" . $citeOrder . "&orderBy=" . rawurlencode($orderBy);
}
// --- END WORKAROUND -----
// Is the user logged in?
if (isset($_SESSION['loginEmail'])) {
$loginStatus = $loc["Welcome"];
$loginWelcomeMsg = "<em>" . encodeHTML($loginFirstName) . " " . encodeHTML($loginLastName) . "</em>!";
if ($loginEmail == $adminLoginEmail) {
$loginStatus .= " <span class=\"warning\">" . $loc["Admin"] . "</span>";
}
$loginLinks = "";
if ($loginEmail == $adminLoginEmail) {
$loginLinks .= "<a href=\"user_details.php\" title=\"add a user to the database\">Add User</a> | ";
$loginLinks .= "<a href=\"users.php\" title=\"manage user data\">Manage Users</a> | ";
} else {
$loginLinks .= "<a href=\"search.php?formType=myRefsSearch&showQuery=0&showLinks=1&myRefsRadio=1\"" . addAccessKey("attribute", "my_refs") . " title=\"" . $loc["LinkTitle_MyRefs"] . addAccessKey("title", "my_refs") . "\">" . $loc["MyRefs"] . "</a> | ";
if (isset($_SESSION['user_permissions']) and preg_match("/allow_modify_options/", $_SESSION['user_permissions'])) {
// if the 'user_permissions' session variable contains 'allow_modify_options'...
// ... include a link to 'user_receipt.php':
$loginLinks .= "<a href=\"user_receipt.php?userID=" . $loginUserID . "\"" . addAccessKey("attribute", "my_opt") . " title=\"" . $loc["LinkTitle_Options"] . addAccessKey("title", "my_opt") . "\">" . $loc["Options"] . "</a> | ";
}
}
$loginLinks .= "<a href=\"user_logout.php?referer=" . rawurlencode($referer) . "\"" . addAccessKey("attribute", "login") . " title=\"" . $loc["LinkTitle_Logout"] . addAccessKey("title", "login") . "\">" . $loc["Logout"] . "</a>";
} else {
if (preg_match("#.*(record|import[^.]*)\\.php#i", $scriptURL)) {
$loginStatus = "<span class=\"warning\">" . $loc["Warning_LoginToSubmitForm"] . "!</span>";
} else {
$loginStatus = "";
}
$loginWelcomeMsg = "";
$loginLinks = "<a href=\"user_login.php?referer=" . rawurlencode($referer) . "\"" . addAccessKey("attribute", "login") . " title=\"" . $loc["LinkTitle_Login"] . addAccessKey("title", "login") . "\">" . $loc["Login"] . "</a>";
}
// Although the '$referer' variable gets included as GET parameter above, we'll also save the variable as session variable:
// (this should help re-directing to the correct page if a user called 'user_login/logout.php' manually, i.e., without parameters)
saveSessionVariable("referer", $referer);
}
$helpResourcesURL = "http://www.refbase.net/";
// e.g. "http://www.refbase.net/"
// Specify whether announcements should be sent to the email address given in '$mailingListEmail':
// If $sendEmailAnnouncements = "yes", a short info will be mailed to the email address specified
// in $mailingListEmail if a new record has been added to the database.
$sendEmailAnnouncements = "no";
// possible values: "yes", "no"
// The mailing list email address to which any announcements should be sent:
$mailingListEmail = "*****@*****.**";
// temporary. Real: eriala.keeleteadus@lists.ut.ee
// The base URL for this literature database (i.e., the URL to the refbase root directory where
// your refbase scripts are located):
// It will be used within RSS feeds and when sending notification emails to database users.
// The base URL is auto-generated by the code below. Enter a literal URL if this doesn't work for
// you.
$databaseBaseURL = preg_replace('#[^/]*$#', '', 'http://' . $_SERVER['HTTP_HOST'] . scriptURL(), 1);
// e.g. "http://polaris.ipoe.uni-kiel.de/refs/"
// The keywords/tags that describe or categorize the content of this literature database:
// These keywords/tags should be single words delimited by a space character. They'll be
// included on every HTML page (in the <head> section) as well as in the OpenSearch description
// document. A good selection of keywords may help to increase search engine visibility.
$databaseKeywords = "finno-ugric academic literature scientific references publication search citation bibliography database";
// e.g. "academic literature refbase"
// The character encoding that's used as content-type for HTML, RSS and email output:
// IMPORTANT NOTES: - the encoding type specified here must match the default character set you've
// chosen on install for your refbase MySQL database & tables!
// - plus, the character encoding of this file ('ini.inc.php') MUST match the
// encoding type specified in '$contentTypeCharset'! This means, if you're going to
// use "UTF-8", you must re-save this file with encoding "Unicode (UTF-8, no BOM)".
$contentTypeCharset = "UTF-8";
// possible values: "ISO-8859-1", "UTF-8"
