function do_search() { global $lang_global, $lang_game_object, $output, $world_db, $realm_id, $go_datasite, $sql_search_limit, $go_type; wowhead_tt(); require_once "./scripts/get_lib.php"; $deplang = get_lang_id(); if ((!isset($_POST['entry']) || $_POST['entry'] === '') && (!isset($_POST['name']) || $_POST['name'] === '') && (!isset($_POST['ScriptName']) || $_POST['ScriptName'] === '') && (!isset($_POST['displayId']) || $_POST['displayId'] === '') && (!isset($_POST['faction']) || $_POST['faction'] === '') && (!isset($_POST['flags']) || $_POST['flags'] === '') && (!isset($_POST['custom_search']) || $_POST['custom_search'] === '') && $_POST['type'] == -1) { redirect("game_object.php?error=1"); } $sql = new SQL(); $sql->connect($world_db[$realm_id]['addr'], $world_db[$realm_id]['user'], $world_db[$realm_id]['pass'], $world_db[$realm_id]['name']); if ($_POST['entry'] != '') { $entry = $sql->quote_smart($_POST['entry']); } if ($_POST['name'] != '') { $name = $sql->quote_smart($_POST['name']); } if ($_POST['type'] != -1) { $type = $sql->quote_smart($_POST['type']); } if ($_POST['ScriptName'] != '') { $ScriptName = $sql->quote_smart($_POST['ScriptName']); } if ($_POST['displayId'] != '') { $displayId = $sql->quote_smart($_POST['displayId']); } if ($_POST['faction'] != '') { $faction = $sql->quote_smart($_POST['faction']); } if ($_POST['flags'] != '') { $flags = $sql->quote_smart($_POST['flags']); } if ($_POST['custom_search'] != '') { $custom_search = $sql->quote_smart($_POST['custom_search']); } else { $custom_search = ""; } $where = "WHERE gameobject_template.entry > 0 "; if ($custom_search != "") { $where .= " {$custom_search} "; } if (isset($entry)) { $where .= "AND gameobject_template.entry = '{$entry}' "; } if (isset($name)) { $where .= "AND IFNULL(" . ($deplang != 0 ? "name_loc{$deplang}" : "NULL") . ",`name`) LIKE '%{$name}%' "; } if (isset($type)) { $where .= "AND type = '{$type}' "; } if (isset($ScriptName)) { $where .= "AND ScriptName LIKE '%{$ScriptName}%' "; } if (isset($displayId)) { $where .= "AND displayId = '{$displayId}' "; } if (isset($faction)) { $where .= "AND faction = '{$faction}' "; } if (isset($flags)) { $where .= "AND flags = '{$flags}' "; } if ($where == "WHERE gameobject_template.entry > 0 ") { redirect("game_object.php?error=1"); } $result = $sql->query("SELECT gameobject_template.entry, type, displayId, IFNULL(" . ($deplang != 0 ? "name_loc{$deplang}" : "NULL") . ",`name`) as name, faction FROM gameobject_template LEFT JOIN locales_gameobject ON gameobject_template.entry = locales_gameobject.entry {$where} ORDER BY gameobject_template.entry LIMIT {$sql_search_limit}"); $total_found = $sql->num_rows($result); $output .= "<center>\r\n <table class=\"top_hidden\"></td>\r\n <tr><td>"; makebutton($lang_game_object['new_search'], "game_object.php", 160); $output .= "</td>\r\n <td align=\"right\">{$lang_game_object['tot_found']} : {$total_found} : {$lang_global['limit']} {$sql_search_limit}</td>\r\n </tr></table>"; $output .= "<table class=\"lined\">\r\n <tr>\r\n <th width=\"10%\">{$lang_game_object['entry']}</th>\r\n <th width=\"40%\">{$lang_game_object['name']}</th>\r\n <th width=\"20%\">{$lang_game_object['type']}</th>\r\n <th width=\"15%\">{$lang_game_object['displayId']}</th>\r\n <th width=\"15%\">{$lang_game_object['faction']}</th>\r\n </tr>"; for ($i = 1; $i <= $total_found; $i++) { $go = $sql->fetch_row($result); $output .= "<tr>\r\n <td><a href=\"{$go_datasite}{$go['0']}\" target=\"_blank\">{$go['0']}</a></td>\r\n <td><a href=\"game_object.php?action=edit&entry={$go['0']}&error=4\">" . htmlentities($go[3]) . "</a></td>\r\n <td>" . get_go_type($go[1]) . "</td>\r\n <td>{$go['2']}</td>\r\n <td>{$go['4']}</td>\r\n </tr>"; } $output .= "</table></center><br />"; $sql->close(); }
function search() { global $output, $world_db, $realm_id, $base_datasite, $go_datasite, $sql_search_limit, $locales_search_option, $itemperpage, $go_types, $sql, $core; //-------------------SQL Injection Prevention-------------------------------- $start = isset($_GET["start"]) ? $sql["logon"]->quote_smart($_GET["start"]) : 0; if (!is_numeric($start)) { $start = 0; } $order_by = isset($_GET["order_by"]) ? $sql["logon"]->quote_smart($_GET["order_by"]) : "acct"; if (!preg_match('/^[_[:lower:]]{1,15}$/', $order_by)) { $order_by = "acct"; } $dir = isset($_GET["dir"]) ? $sql["logon"]->quote_smart($_GET["dir"]) : 1; if (!preg_match('/^[01]{1}$/', $dir)) { $dir = 1; } $order_dir = $dir ? "ASC" : "DESC"; $dir = $dir ? 0 : 1; if ((!isset($_GET["entry"]) || $_GET["entry"] === "") && (!isset($_GET["name"]) || $_GET["name"] === "") && (!isset($_GET["displayId"]) || $_GET["displayId"] === "") && (!isset($_GET["faction"]) || $_GET["faction"] === "") && (!isset($_GET["flags"]) || $_GET["flags"] === "") && $_GET["type"] == -1) { redirect("object.php?error=1"); } if ($_GET["entry"] != "") { $entry = $sql["world"]->quote_smart($_GET["entry"]); } if ($_GET["name"] != "") { $name = $sql["world"]->quote_smart($_GET["name"]); } if ($_GET["type"] != "" && $_GET["type"] != -1) { $type = $sql["world"]->quote_smart($_GET["type"]); } if ($_GET["displayid"] != "") { $displayId = $sql["world"]->quote_smart($_GET["displayid"]); } if ($_GET["faction"] != "") { $faction = $sql["world"]->quote_smart($_GET["faction"]); } if ($_GET["flags"] != "") { $flags = $sql["world"]->quote_smart($_GET["flags"]); } // a little XSS prevention if (htmlspecialchars($entry) != $entry) { $entry = ""; } if (htmlspecialchars($name, ENT_COMPAT, $site_encoding) != $name) { $name = ""; } if (htmlspecialchars($type) != $type) { $type = -1; } if (htmlspecialchars($displayid) != $displayid) { $displayid = ""; } if (htmlspecialchars($faction) != $faction) { $faction = ""; } if (htmlspecialchars($flags) != $flags) { $flags = ""; } //wowhead_tt(); //require_once("./libs/get_lib.php"); //$deplang = get_lang_id(); // Filters if ($core == 1) { $query = "SELECT COUNT(*) FROM gameobject_names"; } else { $query = "SELECT COUNT(*) FROM gameobject_template"; } $result = $sql["world"]->query($query); $tot_go = $sql["world"]->result($result, 0); // we need $type to be set so the <select> will show correctly if (!isset($type)) { $type = -1; } $output .= ' <div class="fieldset_border"> <span class="legend">' . lang("game_object", "search_template") . '</span> <br /> <form action="object.php" method="get" id="form"> <div> <!-- input type="hidden" name="action" value="do_search" / --> <input type="hidden" name="error" value="2" /> </div> <table class="hidden center"> <tr> <td>' . lang("game_object", "entry") . ':</td> <td> <input type="text" size="14" maxlength="11" name="entry" value="' . $entry . '" /> </td> <td>' . lang("game_object", "name") . ':</td> <td colspan="3"> <input type="text" size="45" maxlength="100" name="name" value="' . $name . '" /> </td> </tr> <tr> <td> </td> <td> </td> <td>' . lang("game_object", "type") . ':</td> <td colspan="3" align="left"> <select name="type"> <option value="-1"' . ($type == -1 ? ' selected="selected" ' : '') . '>' . lang("game_object", "select") . '</option>'; foreach ($go_types as $row) { $output .= ' <option value="' . $row[0] . '"' . ($type == $row[0] ? ' selected="selected" ' : '') . '>' . $row[0] . ' ' . $row[1] . '</option>'; } $output .= ' </select> </td> </tr> <tr> <td>' . lang("game_object", "displayId") . ':</td> <td> <input type="text" size="14" maxlength="11" name="displayid" value="' . $displayid . '" /> </td>'; $output .= ' <td>' . lang("game_object", "flags") . ':</td> <td align="left"> <input type="text" size="15" maxlength="11" name="flags" value="' . $flags . '" /> </td>'; if ($core != 1) { $output .= ' <td>' . lang("game_object", "faction") . ':</td> <td align="left"> <input type="text" size="14" maxlength="11" name="faction" value="' . $faction . '" /> </td>'; } else { $output .= ' <td colspan="2"> </td>'; } $output .= ' </tr> <tr> <td colspan="3">'; makebutton(lang("game_object", "search"), "javascript:do_submit()", 150); $output .= ' </td> <td colspan="3">' . lang("game_object", "tot_go_templ") . ': ' . $tot_go . '</td> </tr> </table> </form> </div> <br /> <br />'; // now we only want $type if it has REAL content if ($type == -1) { unset($type); } // Show filtered game object list if ($core == 1) { $where = "gameobject_names.entry>0 "; } else { $where = "gameobject_template.entry>0 "; } $base_where = $where; if (isset($entry)) { if ($core == 1) { $where .= "AND gameobject_names.entry='" . $entry . "' "; } else { $where .= "AND gameobject_template.entry='" . $entry . "' "; } } if (isset($name)) { $where .= "AND `name` LIKE '%" . $name . "%' "; } if (isset($type)) { $where .= "AND type='" . $type . "' "; } if (isset($displayId)) { $where .= "AND displayId='" . $displayId . "' "; } if (isset($faction)) { $where .= "AND gameobject_template.faction='" . $faction . "' "; } if (isset($flags)) { $where .= "AND flags='" . $flags . "' "; } //if ( $where == $base_where ) //redirect("object.php?error=1"); if ($core == 1) { $query = "SELECT *, Type AS type, DisplayID AS displayId, gameobject_names.Name AS name1" . ($locales_search_option != 0 ? ", gameobject_names_localized.name AS name" : "") . "\r\n FROM gameobject_names " . ($locales_search_option != 0 ? "LEFT JOIN gameobject_names_localized ON gameobject_names.entry=gameobject_names_localized.entry AND language_code='" . $locales_search_option . "') " : " ") . "WHERE " . $where . "\r\n ORDER BY gameobject_names.entry\r\n LIMIT " . $start . ", " . $itemperpage; $query1 = "SELECT COUNT(*) FROM gameobject_names WHERE " . $where; } else { $query = "SELECT *\r\n FROM gameobject_template " . ($locales_search_option != 0 ? "LEFT JOIN locales_gameobject ON gameobject_template.entry=locales_gameobject.entry " : "") . "WHERE " . $where . "\r\n ORDER BY gameobject_template.entry\r\n LIMIT " . $start . ", " . $itemperpage; $query1 = "SELECT COUNT(*) FROM gameobject_template WHERE " . $where; } $result = $sql["world"]->query($query); $page_total = $sql["world"]->num_rows($result); $total_result = $sql["world"]->query($query1); $total_result = $sql["world"]->fetch_assoc($total_result); $total_found = $total_result["COUNT(*)"]; $output .= ' <table class="top_hidden"> <tr> <td>'; makebutton(lang("game_object", "new_search"), "object.php", 160); $output .= ' </td> <td align="right">' . lang("game_object", "tot_found") . ' : ' . $total_found . '</td> </tr> <tr> <td> </td> <td align="right">'; $output .= generate_pagination('object.php?order_by=' . $order_by . '&dir=' . ($dir ? 0 : 1) . ($name ? '&name=' . $name : '') . ($type ? '&type=' . $type : '') . ($displayid ? '&displayid=' . $displayid : '') . ($faction ? '&faction=' . $faction : '') . ($flags ? '&flags=' . $flags : ''), $total_found, $itemperpage, $start); $output .= ' </td> </tr> </table> <table class="lined"> <tr> <th style="width: 10%;">' . lang("game_object", "entry") . '</th> <th style="width: 40%;">' . lang("game_object", "name") . '</th> <th style="width: 20%;">' . lang("game_object", "type") . '</th> <th style="width: 15%;">' . lang("game_object", "displayId") . '</th>'; if ($core != 1) { $output .= ' <th style="width: 15%;">' . lang("game_object", "faction") . '</th>'; } $output .= ' <th>' . lang("game_object", "spawncount") . '</th> </tr>'; for ($i = 1; $i <= $page_total; $i++) { $go = $sql["world"]->fetch_assoc($result); // localization if ($core == 1) { $go["name"] = $locales_search_option ? $go["name"] : $go["name1"]; } else { $go["name"] = $locales_search_option ? $go["name_loc" . $locales_search_option] : $go["name"]; } // individual spawn counts if ($core == 1) { $count_query = "SELECT COUNT(*) FROM gameobject_spawns WHERE Entry='" . $go["entry"] . "'"; } else { $count_query = "SELECT COUNT(*) FROM gameobject WHERE id='" . $go["entry"] . "'"; } $count_result = $sql["world"]->query($count_query); $count_result = $sql["world"]->fetch_assoc($count_result); $spawn_count = $count_result["COUNT(*)"]; $output .= ' <tr> <td> <a href="object.php?action=view&entry=' . $go["entry"] . ($name ? '&name=' . $name : '') . ($type ? '&type=' . $type : '') . ($displayid ? '&displayid=' . $displayid : '') . ($faction ? '&faction=' . $faction : '') . ($flags ? '&flags=' . $flags : '') . '&error=3">' . $go["entry"] . '</a> </td> <td> <a href="object.php?action=view&entry=' . $go["entry"] . ($name ? '&name=' . $name : '') . ($type ? '&type=' . $type : '') . ($displayid ? '&displayid=' . $displayid : '') . ($faction ? '&faction=' . $faction : '') . ($flags ? '&flags=' . $flags : '') . '&error=3">' . htmlspecialchars($go["name"], ENT_COMPAT, $site_encoding) . '</a> </td> <td>' . get_go_type($go["type"]) . '</td> <td>' . $go["displayId"] . '</td>'; if ($core != 1) { $output .= ' <td>' . $go["faction"] . '</td>'; } $output .= ' <td>' . $spawn_count . '</td> </tr>'; } $output .= ' </table> <table class="top_hidden"> <tr> <td align="right">'; $output .= generate_pagination('object.php?order_by=' . $order_by . '&dir=' . ($dir ? 0 : 1) . ($name ? '&name=' . $name : '') . ($type ? '&type=' . $type : '') . ($displayid ? '&displayid=' . $displayid : '') . ($faction ? '&faction=' . $faction : '') . ($flags ? '&flags=' . $flags : ''), $total_found, $itemperpage, $start); $output .= ' </td> </tr> </table> <br />'; }