public function getRecords(&$config, $db, $user, $request) { if (!is_array($request->categories)) { return true; } if ($request->action == 'new') { return true; } foreach ($request->categories as $category => $identifiers) { $this->assets[$category] = array(); /* if the order-by field isn't in this category, default to Identifier */ if (!in_array($request->order['field'], array_keys($this->fields[$category]))) { $request->order['field'] = 'Identifier'; } /* convert identifiers to numeric sort */ if ($request->order['field'] == 'Identifier') { $order = 'CAST(SUBSTR(`Identifier`,6) AS SIGNED) ' . sql_real_escape($request->order['direction'], $db->link); } else { $order = "`" . sql_real_escape($request->order['field'], $db->link) . "` " . sql_real_escape($request->order['direction'], $db->link); } /* retrieve assets from the table */ if (empty($identifiers) || $request->action == 'save') { $select = "1=1"; $limit = $request->limit > 0 ? "{$request->limit}," . ($request->limit + $config->values['list_max']) : "0,{$config->values['list_max']}"; } else { $select = "`Identifier`='" . implode("' OR `Identifier`='", $identifiers) . "'"; $limit = count($identifiers); } $query = SLAM_makePermsQuery($config, $db, $user, '*', $category, $select, $order, $limit); if (($this->assets[$category] = $db->getRecords($query)) === false) { $config->errors[] = 'Database error: Error retrieving assets:' . $db->ErrorState() . $query; } /* count the number of visible assets in the category */ $query = SLAM_makePermsQuery($config, $db, $user, 'COUNT(*)', $category, $select); if (($count = $db->getRecords($query)) === false) { $config->errors[] = 'Database error: Error counting assets:' . $db->ErrorState() . $query; } $this->counts[$category] = $count[0]['COUNT(*)']; } return true; }
function SLAM_loadSearchResults($config, $db, $user, $request) { /* runs a search query on the requested tables and returns as SLAMresult containing the matching records */ /* return empty result on invalid attempt */ if (empty($request->search)) { return new SLAMresult(); } $categories = array_keys($request->categories); if (empty($categories)) { return new SLAMresult(); } /* collect all of the possible fields to search in from the current category(s)*/ $result = new SLAMresult(); /* retrieve the structure of the categories in the request */ $result->getStructures($config, $db, $user, $request); /* retrieve all the searchable fields in the provided category(s) */ $fields = array(); foreach ($categories as $category) { if (empty($fields)) { $fields = array_keys($result->fields[$category]); } else { $fields = array_intersect($fields, array_keys($result->fields[$category])); } } /* if the user isn't a superuser, make sure that hidden fields aren't searched */ $diff = array_intersect($fields, $config->values['hide_fields']); if (!$user->superuser) { $fields = array_diff($fields, $diff); } /* don't forget to remove the pseudofields! */ $diff = array_intersect($fields, array('permissions', 'Files')); $fields = array_diff($fields, $diff); /* use an assoc array to sanitize search modes */ $allowed_modes = array('LIKE' => 'LIKE', 'NOT LIKE' => 'NOT LIKE', '>' => '>', '<' => '<', '=' => '='); $allowed_likes = array('LIKE', 'NOT LIKE'); $allowed_joins = array('AND', 'OR'); /* extract search terms */ $terms = array(); $joins = array(); foreach ($request->search['field'] as $i => $field) { /* automatically bracket LIKE and NOTLIKE terms with % */ $value = in_array($request->search['mode'][$i], $allowed_likes) ? "%{$request->search['value'][$i]}%" : $request->search['value'][$i]; /* joins have to be in the approved list, or they default to AND */ $joins[] = in_array($request->search['join'][$i], $allowed_joins) ? $request->search['join'][$i] : 'AND'; if (in_array($field, $fields)) { $terms[] = '`' . sql_real_escape($field, $db->link) . '` ' . $allowed_modes[$request->search['mode'][$i]] . ' \'' . sql_real_escape($value, $db->link) . '\''; } elseif ($field == '(Search all)') { /* build a special term that contains all of the available fields with OR joins */ $sub_terms = array(); foreach ($fields as $field) { $sub_terms[] = '`' . sql_real_escape($field, $db->link) . '` ' . $allowed_modes[$request->search['mode'][$i]] . ' \'' . sql_real_escape($value, $db->link) . '\''; } if ($request->search['mode'][$i] == 'LIKE') { $terms[] = '( ' . implode(' OR ', $sub_terms) . ' )'; } else { $terms[] = '( ' . implode(' AND ', $sub_terms) . ' )'; } } else { /* if the field name isn't present in the fields of the current category(s), bail */ $config->errors[] = "Error: User attempted to search field named '{$field}' which isn't in the current categories."; continue; } } /* generate the limit based upon the previously provided limit */ $limit = $request->limit > 0 ? "{$request->limit}," . ($request->limit + $config->values['list_max']) : "0,{$config->values['list_max']}"; /* run the query on each category */ foreach ($categories as $category) { /* check that the order-by field is appropriate for this category */ if (!in_array($request->order['field'], array_keys($result->fields[$category]))) { $request->order['field'] = 'Identifier'; } /* convert identifiers to numeric sort */ if ($request->order['field'] == 'Identifier') { $order = 'CAST(SUBSTR(`Identifier`,6) AS SIGNED) ' . sql_real_escape($request->order['direction'], $db->link); } else { $order = "`" . sql_real_escape($request->order['field'], $db->link) . "` " . sql_real_escape($request->order['direction'], $db->link); } /* construct the select statement by putting together the field names and joining conjunctions */ $select = ''; foreach ($terms as $i => $term) { $select .= count($terms) > 1 && $i < count($terms) - 1 ? "{$term} {$joins[$i]} " : $term; } /* generate the query */ $query = SLAM_makePermsQuery($config, $db, $user, '*', $category, $select, $order, $limit); /* execute the query */ if (($result->assets[$category] = $db->getRecords($query)) === false) { $config->errors[] = 'Database error: Error retrieving search:' . $db->ErrorState() . $query; return new SLAMresult(); } /* count the number of assets in the category */ $query = SLAM_makePermsQuery($config, $db, $user, 'COUNT(*)', $category, $select); if (($count = $db->getRecords($query)) === false) { $config->errors[] = 'Database error: Error counting assets:' . $db->ErrorState() . $query; } $result->counts[$category] = $count[0]['COUNT(*)']; } /* associate the retrieved records with their permissions*/ $result->getPermissions($config, $db, $user, $request); return $result; }