function extractFormElementsQueryResults($displayType, $originalDisplayType, $showLinks, $citeOrder, $orderBy, $userID, $sqlQuery, $referer, $recordSerialsArray, $recordsSelectionRadio) { global $tableRefs, $tableUserData; // defined in 'db.inc.php' // Process ALL found records: if ($recordsSelectionRadio == "1") { // extract the 'WHERE' clause from the SQL query: $queryWhereClause = extractWHEREclause($sqlQuery); // function 'extractWHEREclause()' is defined in 'include.inc.php' if (preg_match("/^(Add|Remove)\$/i", $displayType)) { // the user clicked either the 'Add' or the 'Remove' button // get the serial numbers of all found records (which is required by function 'modifyUserGroups()'): $recordSerialsArray = getFieldContents($tableRefs, "serial", $userID, $queryWhereClause); } // function 'getFieldContents()' is defined in 'include.inc.php' } else { if (empty($recordSerialsArray)) { // the user did NOT check any checkboxes $recordSerialsArray[] = "0"; } // since '0' doesn't exist as serial number, this will result in a "nothing found" feedback $queryWhereClause = "serial RLIKE " . quote_smart("^(" . implode("|", $recordSerialsArray) . ")\$"); } if (isset($_SESSION['loginEmail']) and (isset($_SESSION['user_permissions']) and preg_match("/allow_user_groups/", $_SESSION['user_permissions']))) { $userGroupActionRadio = $_REQUEST['userGroupActionRadio']; // extract user option whether we're supposed to process an existing group name or any custom/new group name that was specified by the user // Extract the chosen user group from the request: // first, we need to check whether the user did choose an existing group name from the popup menu // -OR- if he/she did enter a custom group name in the text entry field: if ($userGroupActionRadio == "1") { if (isset($_REQUEST['userGroupSelector'])) { $userGroup = $_REQUEST['userGroupSelector']; } else { $userGroup = ""; } } else { if (isset($_REQUEST['userGroupName'])) { $userGroup = $_REQUEST['userGroupName']; } else { $userGroup = ""; } } } // Depending on the chosen output format, construct an appropriate SQL query: // TODO: build the complete SQL query using functions 'buildFROMclause()' and 'buildORDERclause()' if (preg_match("/^Cite\$/i", $displayType)) { $query = buildSELECTclause($displayType, $showLinks); // function 'buildSELECTclause()' is defined in 'include.inc.php' if (isset($_SESSION['loginEmail'])) { // if a user is logged in... $query .= " FROM {$tableRefs} LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID) . " WHERE " . $queryWhereClause; } else { // NO user logged in $query .= " FROM {$tableRefs} WHERE " . $queryWhereClause; } if ($citeOrder == "year") { // sort records first by year (descending), then in the usual way: $query .= " ORDER BY year DESC, first_author, author_count, author, title"; } elseif ($citeOrder == "type") { // sort records first by record type (and thesis type), then in the usual way: $query .= " ORDER BY type DESC, thesis DESC, first_author, author_count, author, year, title"; } elseif ($citeOrder == "type-year") { // sort records first by record type (and thesis type), then by year (descending), then in the usual way: $query .= " ORDER BY type DESC, thesis DESC, year DESC, first_author, author_count, author, title"; } elseif ($citeOrder == "creation-date") { // sort records such that newly added/edited records get listed top of the list: $query .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC"; } else { // if any other or no '$citeOrder' parameter is specified, we supply the default ORDER BY pattern (which is suitable for citation in a journal etc.): $query .= " ORDER BY first_author, author_count, author, year, title"; } } elseif (preg_match("/^(Display|Export)\$/i", $displayType)) { $query = buildSELECTclause($displayType, $showLinks); // function 'buildSELECTclause()' is defined in 'include.inc.php' if (isset($_SESSION['loginEmail'])) { // if a user is logged in... $query .= " FROM {$tableRefs} LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID) . " WHERE " . $queryWhereClause . " ORDER BY {$orderBy}"; } else { // NO user logged in $query .= " FROM {$tableRefs} WHERE " . $queryWhereClause . " ORDER BY {$orderBy}"; } } elseif (isset($_SESSION['loginEmail']) and preg_match("/^(Add|Remove)\$/i", $displayType)) { if (preg_match("/^(Add|Remove)\$/i", $displayType) and !empty($userGroup)) { // the user clicked either the 'Add' or the 'Remove' button modifyUserGroups($tableUserData, $displayType, $recordSerialsArray, $userID, $userGroup); } // add (remove) selected records to (from) the specified user group (function 'modifyUserGroups()' is defined in 'include.inc.php') // re-apply the current sqlQuery: $query = preg_replace("/ FROM {$tableRefs}/i", ", orig_record FROM {$tableRefs}", $sqlQuery); // add 'orig_record' column (which is required in order to present visual feedback on duplicate records) $query = preg_replace("/ FROM {$tableRefs}/i", ", serial FROM {$tableRefs}", $query); // add 'serial' column (which is required in order to obtain unique checkbox names) if ($showLinks == "1") { $query = preg_replace("/ FROM {$tableRefs}/i", ", file, url, doi, isbn, type FROM {$tableRefs}", $query); } // add 'file', 'url', 'doi', 'isbn' & 'type columns // re-assign the correct display type if the user clicked the 'Add' or 'Remove' button of the 'queryResults' form: $displayType = $originalDisplayType; } return array($query, $displayType); }
$callNumber = preg_quote($callNumber, ""); // escape any meta characters // replace any whitespace characters with "|": $callNumber = preg_replace("/\\s+/", "|", $callNumber); // strip "|" from beginning/end of string (if any): $callNumber = preg_replace("/^\\|?(.+?)\\|?\$/", "\\1", $callNumber); $query .= " call_number RLIKE " . quote_smart("(^|.*;) *" . $callNumberPrefix . " @ (" . $callNumber . ") *(;.*|\$)"); } else { // $recordConditionalSelector == "contains" $query .= " call_number RLIKE " . quote_smart($callNumberPrefix . " @ [^@;]*" . $callNumber . "[^@;]*"); } } // where: if (!empty($where)) { $query .= connectConditionals(); $sanitizedWhereClause = extractWHEREclause(" WHERE " . $where); // attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php') $query .= " (" . $sanitizedWhereClause . ")"; // add custom WHERE clause } // If, for some odd reason, 'records=all' was passed together with other parameters (such as in '.../show.php?records=all&author=steffens') we'll remove again // the generic WHERE clause part (i.e. ' serial RLIKE ".+"') from the query since its superfluous and would confuse other features (such as the "Seach within Results" functionality): if (preg_match('/WHERE serial RLIKE "\\.\\+" AND/i', $query)) { $query = preg_replace('/WHERE serial RLIKE "\\.\\+" AND/i', 'WHERE', $query); } elseif (preg_match("/WHERE\$/i", $query)) { // if still no WHERE clause was added (which is the case for URLs like 'show.php?submit=Browse&by=author') $query .= " serial RLIKE \".+\""; } // add generic WHERE clause // Build GROUP BY clause: if (preg_match("/^Browse\$/i", $displayType)) {
} else { $recordSchema = "rss"; } // if no particular response format was requested we'll output found results as RSS 2.0 // Check the correct parameters have been passed: if (empty($queryWhereClause)) { // return an appropriate error message: $HeaderString = returnMsg($loc["Warning_IncorrectOrMissingParams"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString"); // functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php' // Redirect the browser back to the calling page: header("Location: " . $referer); // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php' exit; // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< } else { $sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause); // attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php') } // -------------------------------------------------------------------- // If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :) // CONSTRUCT SQL QUERY: // Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the // 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns // as required. Therefore it's sufficient to provide just the plain SQL query here: $sqlQuery = buildSELECTclause("RSS", "1", "", false, false); // function 'buildSELECTclause()' is defined in 'include.inc.php' $sqlQuery .= " FROM {$tableRefs} WHERE " . $sanitizedWhereClause; // add FROM clause and the specified WHERE clause $sqlQuery .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC"; // sort records such that newly added/edited records get listed top of the list // since a malicious user could change the 'where' parameter manually to gain access to user-specific data of other users, we'll run the SQL query thru the 'verifySQLQuery()' function:
// Call the 'displayHTMLhead()' and 'showPageHeader()' functions (which are defined in 'header.inc.php'): if ($wrapResults != "0") { displayHTMLhead(encodeHTML($officialDatabaseName) . " -- Query History", "noindex,nofollow", "Displays links to previous search results", "", false, "", $viewType, array()); if (!preg_match("/^(Print|Mobile)\$/i", $viewType)) { // Note: we omit the visible header in print/mobile view ('viewType=Print' or 'viewType=Mobile') showPageHeader($HeaderString); } echo "\n"; } // (4b) DISPLAY results: echo "<div id=\"queryhistory\">"; // Print a link to the current query: if (!empty($oldQuery)) { echo "\n\t<div id=\"currentquery\">" . "\n\t\t<h5>Current Query</h5>"; // Extract the 'WHERE' clause from the current SQL query: $queryWhereClause = extractWHEREclause($oldQuery["sqlQuery"]); // function 'extractWHEREclause()' is defined in 'include.inc.php' $queryTitle = encodeHTML(explainSQLQuery($queryWhereClause)); // functions 'encodeHTML()' and 'explainSQLQuery()' are defined in 'include.inc.php' // Generate a 'search.php' URL that points to the current query: $queryURL = generateURL("search.php", "html", $oldQuery, true); // function 'generateURL()' is defined in 'include.inc.php' echo "\n\t\t<div class=\"even\">" . "\n\t\t\t<a href=\"" . $queryURL . "\">" . $queryTitle . "</a>" . "\n\t\t</div>" . "\n\t</div>"; } // Print links to any previous search results: if (!empty($queryHistory)) { echo "\n\t<div id=\"previousqueries\">" . "\n\t\t<h5>Previous Queries</h5>"; $queryHistory = array_reverse($queryHistory); // Display links to previous search results: for ($i = 0; $i < count($queryHistory); $i++) { if (is_integer($i / 2)) {
function atomGenerateBaseTags($atomOperation) { global $officialDatabaseName; // these variables are specified in 'ini.inc.php' global $databaseBaseURL; global $feedbackEmail; global $contentTypeCharset; global $convertExportDataToUTF8; global $logoImageURL; global $faviconImageURL; global $query; $atomCollection = new XML("feed"); $atomCollection->setTagAttribute("xmlns", "http://www.w3.org/2005/Atom"); $atomCollection->setTagAttribute("xmlns:opensearch", "http://a9.com/-/spec/opensearch/1.1/"); $atomCollection->setTagAttribute("xmlns:unapi", "http://unapi.info/"); // NOTE: is the unAPI namespace ok? Or should we use "http://unapi.info/specs/", or maybe something like "http://purl.org/unapi/ns/" ? $atomCollection->setTagAttribute("xmlns:dc", "http://purl.org/dc/elements/1.1/"); $atomCollection->setTagAttribute("xmlns:dcterms", "http://purl.org/dc/terms/"); $atomCollection->setTagAttribute("xmlns:prism", "http://prismstandard.org/namespaces/1.2/basic/"); $officialDatabaseNameConv = encodeHTMLspecialchars($officialDatabaseName); // function 'encodeHTMLspecialchars()' is defined in 'include.inc.php' if ($atomOperation != "Error") { // convert database name to UTF-8: // (if '$convertExportDataToUTF8' is set to "yes" in 'ini.inc.php' and character encoding is not UTF-8 already) if ($convertExportDataToUTF8 == "yes" and $contentTypeCharset != "UTF-8") { $officialDatabaseNameConv = convertToCharacterEncoding("UTF-8", "IGNORE", $officialDatabaseNameConv); } // function 'convertToCharacterEncoding()' is defined in 'include.inc.php' } // ---------------------------------------------------------- // Add feed-level tags: // (not yet used: category, contributor, rights) // - 'title': addNewBranch($atomCollection, "title", array("type" => "text"), $officialDatabaseNameConv); // - 'subtitle': if ($atomOperation == "Error") { addNewBranch($atomCollection, "subtitle", array(), "Search error!"); } else { // ...extract the 'WHERE' clause from the SQL query to include a natural-language version (well, sort of) within the 'subtitle' element: $queryWhereClause = extractWHEREclause($query); // function 'extractWHEREclause()' is defined in 'include.inc.php' // construct a meaningful feed description based on the actual 'WHERE' clause: // TODO: For Atom XML, the query string should not get HTML encoded! $subTitle = "Displays records where " . encodeHTML(explainSQLQuery($queryWhereClause)); // functions 'encodeHTML()' and 'explainSQLQuery()' are defined in 'include.inc.php' addNewBranch($atomCollection, "subtitle", array(), $subTitle); } // - 'updated': // (TODO: the timestamp in the 'updated' element should really only get updated if any of the matching records was updated, right?) addNewBranch($atomCollection, "updated", array(), generateISO8601TimeStamp()); // function 'generateISO8601TimeStamp()' is defined in 'include.inc.php' // - 'author': $authorBranch = new XMLBranch("author"); $authorBranch->setTagContent($officialDatabaseNameConv, "author/name"); $authorBranch->setTagContent($feedbackEmail, "author/email"); $authorBranch->setTagContent($databaseBaseURL, "author/uri"); $atomCollection->addXMLBranch($authorBranch); // - 'generator', 'icon', 'logo': addNewBranch($atomCollection, "generator", array("uri" => "http://www.refbase.net/", "version" => "0.9.5"), "Web Reference Database (http://refbase.sourceforge.net)"); addNewBranch($atomCollection, "icon", array(), $databaseBaseURL . $faviconImageURL); addNewBranch($atomCollection, "logo", array(), $databaseBaseURL . $logoImageURL); // - 'link' (more links will be added in function 'atomCollection()'): // - link to OpenSearch Description file: atomLink($atomCollection, $databaseBaseURL . "opensearch.php?operation=explain", "search", "OpenSearch", $officialDatabaseNameConv); // - link to unAPI server: atomLink($atomCollection, $databaseBaseURL . "unapi.php", "unapi:unapi-server", "unAPI", "unAPI"); return $atomCollection; }