if (count($or_array) > 0) { $sql .= "(" . implode(" OR ", $or_array) . ")"; } else { $sql .= "FALSE"; } } elseif ($field_natures[$key] == 'boolean' || $field_natures[$key] == 'integer' && isset($field_lengths[$key]) && $field_lengths[$key] <= 2) { if (!empty(${$var})) { $sql .= " AND E.{$key}!=0"; } } elseif ($field_natures[$key] == 'integer' && isset($field_lengths[$key]) && $field_lengths[$key] > 2) { if (isset(${$var}) && ${$var} !== '') { $sql .= " AND E.{$key}=" . ${$var}; } } else { if (!empty(${$var})) { $sql .= " AND" . sql_syntax_caseless_contains("E.{$key}", ${$var}); } } } // If we're not an admin (they are allowed to see everything), then we need // to make sure we respect the privacy settings. (We rely on the privacy fields // in the area table being not NULL. If they are by some chance NULL, then no // entries will be found, which is at least safe from the privacy viewpoint) if (!$is_admin) { if (isset($user)) { // if the user is logged in they can see: // - all bookings, if private_override is set to 'public' // - their own bookings, and others' public bookings if private_override is set to 'none' // - just their own bookings, if private_override is set to 'private' $sql .= " AND ((A.private_override='public') OR\n (A.private_override='none' AND ((E.status&" . STATUS_PRIVATE . "=0) OR E.create_by = '" . sql_escape($user) . "')) OR\n (A.private_override='private' AND E.create_by = '" . sql_escape($user) . "'))"; } else {
$sql .= "(" . implode(" OR ", $or_array) . ")"; } else { $sql .= "e.type = '" . addslashes($typematch[0]) . "'"; } } if (!empty($namematch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch); } if (!empty($descrmatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch); } if (!empty($creatormatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("e.create_by", $creatormatch); } # If not overriding as public entries and user isn't and admin... if ($private_override != "public" && !$is_admin) { if (isset($user)) { if ($private_override == "private") { $sql .= " AND e.create_by = '" . addslashes($user) . "'"; } else { $sql .= " AND (e.create_by = '" . addslashes($user) . "' OR e.private=0)"; } } else { # un-authenticated users can only report on # items which are not marked private $sql .= " AND e.private=0"; } }
// which can include fields that have an associative array of options) $fields = sql_field_info($tbl_entry); foreach ($fields as $field) { if (!in_array($field['name'], $standard_fields['entry'])) { // If we've got a field that is represented by an associative array of options // then we have to search for the keys whose values match the search string if (isset($select_options["entry." . $field['name']]) && is_assoc($select_options["entry." . $field['name']])) { foreach ($select_options["entry." . $field['name']] as $key => $value) { // We have to use strpos() rather than stripos() because we cannot // assume PHP5 if ($key !== '' && strpos(strtolower($value), strtolower($search_str)) !== FALSE) { $sql_pred .= " OR E." . $field['name'] . "='" . sql_escape($key) . "'"; } } } elseif ($field['nature'] == 'character') { $sql_pred .= " OR " . sql_syntax_caseless_contains("E." . $field['name'], $search_str); } } } $sql_pred .= ") AND E.end_time > {$now}"; $sql_pred .= " AND E.room_id = R.id AND R.area_id = A.id"; // If we're not an admin (they are allowed to see everything), then we need // to make sure we respect the privacy settings. (We rely on the privacy fields // in the area table being not NULL. If they are by some chance NULL, then no // entries will be found, which is at least safe from the privacy viewpoint) if (!$is_admin) { if (isset($user)) { // if the user is logged in they can see: // - all bookings, if private_override is set to 'public' // - their own bookings, and others' public bookings if private_override is set to 'none' // - just their own bookings, if private_override is set to 'private'
genDateSelector("", $day, $month, $year); echo "<br><INPUT TYPE=SUBMIT VALUE=\"" . get_vocab("search_button") . "\">"; echo "</FORM>"; include "trailer.inc"; exit; } if (!$search_str) { echo "<H3>" . get_vocab("invalid_search") . "</H3>"; include "trailer.inc"; exit; } # now is used so that we only display entries newer than the current time echo "<H3>" . get_vocab("search_results") . ": \"<font color=\"blue\">{$search_str}</font>\"</H3>\n"; $now = mktime(0, 0, 0, $month, $day, $year); # This is the main part of the query predicate, used in both queries: $sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_text) . " OR " . sql_syntax_caseless_contains("E.name", $search_text) . " OR " . sql_syntax_caseless_contains("E.description", $search_text) . ") AND E.end_time > {$now}"; # The first time the search is called, we get the total # number of matches. This is passed along to subsequent # searches so that we don't have to run it for each page. if (!isset($total)) { $total = sql_query1("SELECT count(*) FROM {$tbl_entry} E WHERE {$sql_pred}"); } if ($total <= 0) { echo "<B>" . get_vocab("nothing_found") . "</B>\n"; include "trailer.inc"; exit; } if (!isset($search_pos) || $search_pos <= 0) { $search_pos = 0; } elseif ($search_pos >= $total) { $search_pos = $total - $total % $search["count"];
# 7 [6] Created by (user name or IP addr), must be HTML escaped # 8 [7] Creation timestamp, converted to Unix time_t by the database # 9 [8] Area name, must be HTML escaped # 10 [9] Room name, must be HTML escaped $sql = "SELECT e.id, e.start_time, e.end_time, e.name, e.description, " . "e.type, e.create_by, " . sql_syntax_timestamp_to_unix("e.timestamp") . ", a.area_name, r.room_name" . " FROM mrbs_entry e, mrbs_area a, mrbs_room r" . " WHERE e.room_id = r.id AND r.area_id = a.id" . " AND e.start_time < {$report_end} AND e.end_time > {$report_start}"; if (!empty($areamatch)) { $sql .= " AND" . sql_syntax_caseless_contains("a.area_name", $areamatch); } if (!empty($roommatch)) { $sql .= " AND" . sql_syntax_caseless_contains("r.room_name", $roommatch); } if (!empty($namematch)) { $sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch); } if (!empty($descrmatch)) { $sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch); } # Order by Area, Room, Start date/time: $sql .= " ORDER BY 9,10,2"; # echo "<p>DEBUG: SQL: <tt> $sql </tt>\n"; $res = sql_query($sql); if (!$res) { fatal_error(0, sql_error()); } $nmatch = sql_count($res); if ($nmatch == 0) { echo "<P><B>" . $vocab["nothing_found"] . "</B>\n"; sql_free($res); } else { $last_area_room = ""; echo "<P><B>" . $nmatch . " " . ($nmatch == 1 ? $vocab["entry_found"] : $vocab["entries_found"]) . "</B>\n";