function extractFormElementsQueryResults($displayType, $originalDisplayType, $showLinks, $citeOrder, $orderBy, $userID, $sqlQuery, $referer, $recordSerialsArray, $recordsSelectionRadio)
{
global $tableRefs, $tableUserData;
// defined in 'db.inc.php'
// Process ALL found records:
if ($recordsSelectionRadio == "1") {
// extract the 'WHERE' clause from the SQL query:
$queryWhereClause = extractWHEREclause($sqlQuery);
// function 'extractWHEREclause()' is defined in 'include.inc.php'
if (preg_match("/^(Add|Remove)\$/i", $displayType)) {
// the user clicked either the 'Add' or the 'Remove' button
// get the serial numbers of all found records (which is required by function 'modifyUserGroups()'):
$recordSerialsArray = getFieldContents($tableRefs, "serial", $userID, $queryWhereClause);
}
// function 'getFieldContents()' is defined in 'include.inc.php'
} else {
if (empty($recordSerialsArray)) {
// the user did NOT check any checkboxes
$recordSerialsArray[] = "0";
}
// since '0' doesn't exist as serial number, this will result in a "nothing found" feedback
$queryWhereClause = "serial RLIKE " . quote_smart("^(" . implode("|", $recordSerialsArray) . ")\$");
}
if (isset($_SESSION['loginEmail']) and (isset($_SESSION['user_permissions']) and preg_match("/allow_user_groups/", $_SESSION['user_permissions']))) {
$userGroupActionRadio = $_REQUEST['userGroupActionRadio'];
// extract user option whether we're supposed to process an existing group name or any custom/new group name that was specified by the user
// Extract the chosen user group from the request:
// first, we need to check whether the user did choose an existing group name from the popup menu
// -OR- if he/she did enter a custom group name in the text entry field:
if ($userGroupActionRadio == "1") {
if (isset($_REQUEST['userGroupSelector'])) {
$userGroup = $_REQUEST['userGroupSelector'];
} else {
$userGroup = "";
}
} else {
if (isset($_REQUEST['userGroupName'])) {
$userGroup = $_REQUEST['userGroupName'];
} else {
$userGroup = "";
}
}
}
// Depending on the chosen output format, construct an appropriate SQL query:
// TODO: build the complete SQL query using functions 'buildFROMclause()' and 'buildORDERclause()'
if (preg_match("/^Cite\$/i", $displayType)) {
$query = buildSELECTclause($displayType, $showLinks);
// function 'buildSELECTclause()' is defined in 'include.inc.php'
if (isset($_SESSION['loginEmail'])) {
// if a user is logged in...
$query .= " FROM {$tableRefs} LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID) . " WHERE " . $queryWhereClause;
} else {
// NO user logged in
$query .= " FROM {$tableRefs} WHERE " . $queryWhereClause;
}
if ($citeOrder == "year") {
// sort records first by year (descending), then in the usual way:
$query .= " ORDER BY year DESC, first_author, author_count, author, title";
} elseif ($citeOrder == "type") {
// sort records first by record type (and thesis type), then in the usual way:
$query .= " ORDER BY type DESC, thesis DESC, first_author, author_count, author, year, title";
} elseif ($citeOrder == "type-year") {
// sort records first by record type (and thesis type), then by year (descending), then in the usual way:
$query .= " ORDER BY type DESC, thesis DESC, year DESC, first_author, author_count, author, title";
} elseif ($citeOrder == "creation-date") {
// sort records such that newly added/edited records get listed top of the list:
$query .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC";
} else {
// if any other or no '$citeOrder' parameter is specified, we supply the default ORDER BY pattern (which is suitable for citation in a journal etc.):
$query .= " ORDER BY first_author, author_count, author, year, title";
}
} elseif (preg_match("/^(Display|Export)\$/i", $displayType)) {
$query = buildSELECTclause($displayType, $showLinks);
// function 'buildSELECTclause()' is defined in 'include.inc.php'
if (isset($_SESSION['loginEmail'])) {
// if a user is logged in...
$query .= " FROM {$tableRefs} LEFT JOIN {$tableUserData} ON serial = record_id AND user_id = " . quote_smart($userID) . " WHERE " . $queryWhereClause . " ORDER BY {$orderBy}";
} else {
// NO user logged in
$query .= " FROM {$tableRefs} WHERE " . $queryWhereClause . " ORDER BY {$orderBy}";
}
} elseif (isset($_SESSION['loginEmail']) and preg_match("/^(Add|Remove)\$/i", $displayType)) {
if (preg_match("/^(Add|Remove)\$/i", $displayType) and !empty($userGroup)) {
// the user clicked either the 'Add' or the 'Remove' button
modifyUserGroups($tableUserData, $displayType, $recordSerialsArray, $userID, $userGroup);
}
// add (remove) selected records to (from) the specified user group (function 'modifyUserGroups()' is defined in 'include.inc.php')
// re-apply the current sqlQuery:
$query = preg_replace("/ FROM {$tableRefs}/i", ", orig_record FROM {$tableRefs}", $sqlQuery);
// add 'orig_record' column (which is required in order to present visual feedback on duplicate records)
$query = preg_replace("/ FROM {$tableRefs}/i", ", serial FROM {$tableRefs}", $query);
// add 'serial' column (which is required in order to obtain unique checkbox names)
if ($showLinks == "1") {
$query = preg_replace("/ FROM {$tableRefs}/i", ", file, url, doi, isbn, type FROM {$tableRefs}", $query);
}
// add 'file', 'url', 'doi', 'isbn' & 'type columns
// re-assign the correct display type if the user clicked the 'Add' or 'Remove' button of the 'queryResults' form:
$displayType = $originalDisplayType;
}
return array($query, $displayType);
}
$callNumber = preg_quote($callNumber, "");
// escape any meta characters
// replace any whitespace characters with "|":
$callNumber = preg_replace("/\\s+/", "|", $callNumber);
// strip "|" from beginning/end of string (if any):
$callNumber = preg_replace("/^\\|?(.+?)\\|?\$/", "\\1", $callNumber);
$query .= " call_number RLIKE " . quote_smart("(^|.*;) *" . $callNumberPrefix . " @ (" . $callNumber . ") *(;.*|\$)");
} else {
// $recordConditionalSelector == "contains"
$query .= " call_number RLIKE " . quote_smart($callNumberPrefix . " @ [^@;]*" . $callNumber . "[^@;]*");
}
}
// where:
if (!empty($where)) {
$query .= connectConditionals();
$sanitizedWhereClause = extractWHEREclause(" WHERE " . $where);
// attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php')
$query .= " (" . $sanitizedWhereClause . ")";
// add custom WHERE clause
}
// If, for some odd reason, 'records=all' was passed together with other parameters (such as in '.../show.php?records=all&author=steffens') we'll remove again
// the generic WHERE clause part (i.e. ' serial RLIKE ".+"') from the query since its superfluous and would confuse other features (such as the "Seach within Results" functionality):
if (preg_match('/WHERE serial RLIKE "\\.\\+" AND/i', $query)) {
$query = preg_replace('/WHERE serial RLIKE "\\.\\+" AND/i', 'WHERE', $query);
} elseif (preg_match("/WHERE\$/i", $query)) {
// if still no WHERE clause was added (which is the case for URLs like 'show.php?submit=Browse&by=author')
$query .= " serial RLIKE \".+\"";
}
// add generic WHERE clause
// Build GROUP BY clause:
if (preg_match("/^Browse\$/i", $displayType)) {
} else {
$recordSchema = "rss";
}
// if no particular response format was requested we'll output found results as RSS 2.0
// Check the correct parameters have been passed:
if (empty($queryWhereClause)) {
// return an appropriate error message:
$HeaderString = returnMsg($loc["Warning_IncorrectOrMissingParams"] . " '" . scriptURL() . "'!", "warning", "strong", "HeaderString");
// functions 'returnMsg()' and 'scriptURL()' are defined in 'include.inc.php'
// Redirect the browser back to the calling page:
header("Location: " . $referer);
// variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php'
exit;
// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !EXIT! <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
} else {
$sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause);
// attempt to sanitize custom WHERE clause from SQL injection attacks (function 'extractWHEREclause()' is defined in 'include.inc.php')
}
// --------------------------------------------------------------------
// If we made it here, then the script was called with all required parameters (which, currently, is just the 'where' parameter :)
// CONSTRUCT SQL QUERY:
// Note: the 'verifySQLQuery()' function that gets called below will add the user specific fields to the 'SELECT' clause and the
// 'LEFT JOIN...' part to the 'FROM' clause of the SQL query if a user is logged in. It will also add 'orig_record', 'serial', 'file', 'url', 'doi', 'isbn' & 'type' columns
// as required. Therefore it's sufficient to provide just the plain SQL query here:
$sqlQuery = buildSELECTclause("RSS", "1", "", false, false);
// function 'buildSELECTclause()' is defined in 'include.inc.php'
$sqlQuery .= " FROM {$tableRefs} WHERE " . $sanitizedWhereClause;
// add FROM clause and the specified WHERE clause
$sqlQuery .= " ORDER BY created_date DESC, created_time DESC, modified_date DESC, modified_time DESC, serial DESC";
// sort records such that newly added/edited records get listed top of the list
// since a malicious user could change the 'where' parameter manually to gain access to user-specific data of other users, we'll run the SQL query thru the 'verifySQLQuery()' function:
// Call the 'displayHTMLhead()' and 'showPageHeader()' functions (which are defined in 'header.inc.php'):
if ($wrapResults != "0") {
displayHTMLhead(encodeHTML($officialDatabaseName) . " -- Query History", "noindex,nofollow", "Displays links to previous search results", "", false, "", $viewType, array());
if (!preg_match("/^(Print|Mobile)\$/i", $viewType)) {
// Note: we omit the visible header in print/mobile view ('viewType=Print' or 'viewType=Mobile')
showPageHeader($HeaderString);
}
echo "\n";
}
// (4b) DISPLAY results:
echo "<div id=\"queryhistory\">";
// Print a link to the current query:
if (!empty($oldQuery)) {
echo "\n\t<div id=\"currentquery\">" . "\n\t\t<h5>Current Query</h5>";
// Extract the 'WHERE' clause from the current SQL query:
$queryWhereClause = extractWHEREclause($oldQuery["sqlQuery"]);
// function 'extractWHEREclause()' is defined in 'include.inc.php'
$queryTitle = encodeHTML(explainSQLQuery($queryWhereClause));
// functions 'encodeHTML()' and 'explainSQLQuery()' are defined in 'include.inc.php'
// Generate a 'search.php' URL that points to the current query:
$queryURL = generateURL("search.php", "html", $oldQuery, true);
// function 'generateURL()' is defined in 'include.inc.php'
echo "\n\t\t<div class=\"even\">" . "\n\t\t\t<a href=\"" . $queryURL . "\">" . $queryTitle . "</a>" . "\n\t\t</div>" . "\n\t</div>";
}
// Print links to any previous search results:
if (!empty($queryHistory)) {
echo "\n\t<div id=\"previousqueries\">" . "\n\t\t<h5>Previous Queries</h5>";
$queryHistory = array_reverse($queryHistory);
// Display links to previous search results:
for ($i = 0; $i < count($queryHistory); $i++) {
if (is_integer($i / 2)) {
function atomGenerateBaseTags($atomOperation)
{
global $officialDatabaseName;
// these variables are specified in 'ini.inc.php'
global $databaseBaseURL;
global $feedbackEmail;
global $contentTypeCharset;
global $convertExportDataToUTF8;
global $logoImageURL;
global $faviconImageURL;
global $query;
$atomCollection = new XML("feed");
$atomCollection->setTagAttribute("xmlns", "http://www.w3.org/2005/Atom");
$atomCollection->setTagAttribute("xmlns:opensearch", "http://a9.com/-/spec/opensearch/1.1/");
$atomCollection->setTagAttribute("xmlns:unapi", "http://unapi.info/");
// NOTE: is the unAPI namespace ok? Or should we use "http://unapi.info/specs/", or maybe something like "http://purl.org/unapi/ns/" ?
$atomCollection->setTagAttribute("xmlns:dc", "http://purl.org/dc/elements/1.1/");
$atomCollection->setTagAttribute("xmlns:dcterms", "http://purl.org/dc/terms/");
$atomCollection->setTagAttribute("xmlns:prism", "http://prismstandard.org/namespaces/1.2/basic/");
$officialDatabaseNameConv = encodeHTMLspecialchars($officialDatabaseName);
// function 'encodeHTMLspecialchars()' is defined in 'include.inc.php'
if ($atomOperation != "Error") {
// convert database name to UTF-8:
// (if '$convertExportDataToUTF8' is set to "yes" in 'ini.inc.php' and character encoding is not UTF-8 already)
if ($convertExportDataToUTF8 == "yes" and $contentTypeCharset != "UTF-8") {
$officialDatabaseNameConv = convertToCharacterEncoding("UTF-8", "IGNORE", $officialDatabaseNameConv);
}
// function 'convertToCharacterEncoding()' is defined in 'include.inc.php'
}
// ----------------------------------------------------------
// Add feed-level tags:
// (not yet used: category, contributor, rights)
// - 'title':
addNewBranch($atomCollection, "title", array("type" => "text"), $officialDatabaseNameConv);
// - 'subtitle':
if ($atomOperation == "Error") {
addNewBranch($atomCollection, "subtitle", array(), "Search error!");
} else {
// ...extract the 'WHERE' clause from the SQL query to include a natural-language version (well, sort of) within the 'subtitle' element:
$queryWhereClause = extractWHEREclause($query);
// function 'extractWHEREclause()' is defined in 'include.inc.php'
// construct a meaningful feed description based on the actual 'WHERE' clause:
// TODO: For Atom XML, the query string should not get HTML encoded!
$subTitle = "Displays records where " . encodeHTML(explainSQLQuery($queryWhereClause));
// functions 'encodeHTML()' and 'explainSQLQuery()' are defined in 'include.inc.php'
addNewBranch($atomCollection, "subtitle", array(), $subTitle);
}
// - 'updated':
// (TODO: the timestamp in the 'updated' element should really only get updated if any of the matching records was updated, right?)
addNewBranch($atomCollection, "updated", array(), generateISO8601TimeStamp());
// function 'generateISO8601TimeStamp()' is defined in 'include.inc.php'
// - 'author':
$authorBranch = new XMLBranch("author");
$authorBranch->setTagContent($officialDatabaseNameConv, "author/name");
$authorBranch->setTagContent($feedbackEmail, "author/email");
$authorBranch->setTagContent($databaseBaseURL, "author/uri");
$atomCollection->addXMLBranch($authorBranch);
// - 'generator', 'icon', 'logo':
addNewBranch($atomCollection, "generator", array("uri" => "http://www.refbase.net/", "version" => "0.9.5"), "Web Reference Database (http://refbase.sourceforge.net)");
addNewBranch($atomCollection, "icon", array(), $databaseBaseURL . $faviconImageURL);
addNewBranch($atomCollection, "logo", array(), $databaseBaseURL . $logoImageURL);
// - 'link' (more links will be added in function 'atomCollection()'):
// - link to OpenSearch Description file:
atomLink($atomCollection, $databaseBaseURL . "opensearch.php?operation=explain", "search", "OpenSearch", $officialDatabaseNameConv);
// - link to unAPI server:
atomLink($atomCollection, $databaseBaseURL . "unapi.php", "unapi:unapi-server", "unAPI", "unAPI");
return $atomCollection;
}
