Context Navigation

source: tags/2.7.3/search.php @ 30975

Last change on this file since 30975 was 30867, checked in by plg, 9 years ago

merge r30864 from trunk to branch 2.7

bug 3186: improved security on search.php

Property svn:eol-style set to LF

File size: 8.3 KB

Line
1	<?php
2	// +-----------------------------------------------------------------------+
3	// \| Piwigo - a PHP based photo gallery \|
4	// +-----------------------------------------------------------------------+
5	// \| Copyright(C) 2008-2014 Piwigo Team http://piwigo.org \|
6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
8	// +-----------------------------------------------------------------------+
9	// \| This program is free software; you can redistribute it and/or modify \|
10	// \| it under the terms of the GNU General Public License as published by \|
11	// \| the Free Software Foundation \|
12	// \| \|
13	// \| This program is distributed in the hope that it will be useful, but \|
14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
16	// \| General Public License for more details. \|
17	// \| \|
18	// \| You should have received a copy of the GNU General Public License \|
19	// \| along with this program; if not, write to the Free Software \|
20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
21	// \| USA. \|
22	// +-----------------------------------------------------------------------+
23
24	//--------------------------------------------------------------------- include
25	define('PHPWG_ROOT_PATH','./');
26	include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
27
28	// +-----------------------------------------------------------------------+
29	// \| Check Access and exit when user status is not ok \|
30	// +-----------------------------------------------------------------------+
31	check_status(ACCESS_GUEST);
32
33	trigger_notify('loc_begin_search');
34
35	//------------------------------------------------------------------ form check
36	$search = array();
37	if (isset($_POST['submit']))
38	{
39	foreach ($_POST as $post_key => $post_value)
40	{
41	if (!is_array($post_value))
42	{
43	$_POST[$post_key] = pwg_db_real_escape_string($post_value);
44	}
45	}
46
47	if (isset($_POST['search_allwords'])
48	and !preg_match('/^\s*$/', $_POST['search_allwords']))
49	{
50	check_input_parameter('mode', $_POST, false, '/^(OR\|AND)$/');
51	check_input_parameter('fields', $_POST, true, '/^(name\|comment\|file)$/');
52
53	$drop_char_match = array(
54	'-','^','$',';','#','&','(',')','<','>','`','\'','"','\|',',','@','_',
55	'?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*');
56	$drop_char_replace = array(
57	' ',' ',' ',' ',' ',' ',' ',' ',' ',' ','','',' ',' ',' ',' ','',' ',
58	' ',' ',' ',' ',' ',' ',' ',' ','' ,' ',' ',' ',' ',' ');
59
60	// Split words
61	$search['fields']['allwords'] = array(
62	'words' => array_unique(
63	preg_split(
64	'/\s+/',
65	str_replace(
66	$drop_char_match,
67	$drop_char_replace,
68	$_POST['search_allwords']
69	)
70	)
71	),
72	'mode' => $_POST['mode'],
73	'fields' => $_POST['fields'],
74	);
75	}
76
77	if (isset($_POST['tags']))
78	{
79	check_input_parameter('tags', $_POST, true, PATTERN_ID);
80	check_input_parameter('tag_mode', $_POST, false, '/^(OR\|AND)$/');
81
82	$search['fields']['tags'] = array(
83	'words' => $_POST['tags'],
84	'mode' => $_POST['tag_mode'],
85	);
86	}
87
88	if (isset($_POST['authors']) and is_array($_POST['authors']) and count($_POST['authors']) > 0)
89	{
90	$authors = array();
91
92	foreach ($_POST['authors'] as $author)
93	{
94	$authors[] = strip_tags($author);
95	}
96
97	$search['fields']['author'] = array(
98	'words' => $authors,
99	'mode' => 'OR',
100	);
101	}
102
103	if (isset($_POST['cat']))
104	{
105	check_input_parameter('cat', $_POST, true, PATTERN_ID);
106
107	$search['fields']['cat'] = array(
108	'words' => $_POST['cat'],
109	'sub_inc' => ($_POST['subcats-included'] == 1) ? true : false,
110	);
111	}
112
113	// dates
114	check_input_parameter('date_type', $_POST, false, '/^date_(creation\|available)$/');
115
116	$type_date = $_POST['date_type'];
117
118	if (!empty($_POST['start_year']))
119	{
120	$search['fields'][$type_date.'-after'] = array(
121	'date' => sprintf(
122	'%d-%02d-%02d',
123	$_POST['start_year'],
124	$_POST['start_month'] != 0 ? $_POST['start_month'] : '01',
125	$_POST['start_day'] != 0 ? $_POST['start_day'] : '01'
126	),
127	'inc' => true,
128	);
129	}
130
131	if (!empty($_POST['end_year']))
132	{
133	$search['fields'][$type_date.'-before'] = array(
134	'date' => sprintf(
135	'%d-%02d-%02d',
136	$_POST['end_year'],
137	$_POST['end_month'] != 0 ? $_POST['end_month'] : '12',
138	$_POST['end_day'] != 0 ? $_POST['end_day'] : '31'
139	),
140	'inc' => true,
141	);
142	}
143
144	if (!empty($search))
145	{
146	// default search mode : each clause must be respected
147	$search['mode'] = 'AND';
148
149	// register search rules in database, then they will be available on
150	// thumbnails page and picture page.
151	$query ='
152	INSERT INTO '.SEARCH_TABLE.'
153	(rules, last_seen)
154	VALUES
155	(\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
156	;';
157	pwg_query($query);
158
159	$search_id = pwg_db_insert_id(SEARCH_TABLE);
160	}
161	else
162	{
163	$page['errors'][] = l10n('Empty query. No criteria has been entered.');
164	}
165	}
166	//----------------------------------------------------------------- redirection
167	if (isset($_POST['submit']) and count($page['errors']) == 0)
168	{
169	redirect(
170	make_index_url(
171	array(
172	'section' => 'search',
173	'search' => $search_id,
174	)
175	)
176	);
177	}
178	//----------------------------------------------------- template initialization
179
180	//
181	// Start output of page
182	//
183	$title= l10n('Search');
184	$page['body_id'] = 'theSearchPage';
185
186	$template->set_filename('search' ,'search.tpl' );
187
188	$month_list = $lang['month'];
189	$month_list[0]='------------';
190	ksort($month_list);
191
192	$template->assign(
193	array(
194	'F_SEARCH_ACTION' => 'search.php',
195	'U_HELP' => PHPWG_ROOT_PATH.'popuphelp.php?page=search',
196
197	'month_list' => $month_list,
198	'START_DAY_SELECTED' => @$_POST['start_day'],
199	'START_MONTH_SELECTED' => @$_POST['start_month'],
200	'END_DAY_SELECTED' => @$_POST['end_day'],
201	'END_MONTH_SELECTED' => @$_POST['end_month'],
202	)
203	);
204
205	$available_tags = get_available_tags();
206
207	if (count($available_tags) > 0)
208	{
209	usort( $available_tags, 'tag_alpha_compare');
210
211	$template->assign('TAGS', $available_tags);
212	}
213
214	// authors
215	$authors = array();
216
217	$query = '
218	SELECT
219	author,
220	id
221	FROM '.IMAGES_TABLE.' AS i
222	JOIN '.IMAGE_CATEGORY_TABLE.' AS ic ON ic.image_id = i.id
223	'.get_sql_condition_FandF(
224	array(
225	'forbidden_categories' => 'category_id',
226	'visible_categories' => 'category_id',
227	'visible_images' => 'id'
228	),
229	' WHERE '
230	).'
231	AND author IS NOT NULL
232	GROUP BY author, id
233	ORDER BY author
234	;';
235	$author_counts = array();
236	$result = pwg_query($query);
237	while ($row = pwg_db_fetch_assoc($result))
238	{
239	if (!isset($author_counts[ $row['author'] ]))
240	{
241	$author_counts[ $row['author'] ] = 0;
242	}
243
244	$author_counts[ $row['author'] ]++;
245	}
246
247	foreach ($author_counts as $author => $counter)
248	{
249	$authors[] = array(
250	'author' => $author,
251	'counter' => $counter,
252	);
253	}
254
255	$template->assign('AUTHORS', $authors);
256
257	//------------------------------------------------------------- categories form
258	$query = '
259	SELECT id,name,global_rank,uppercats
260	FROM '.CATEGORIES_TABLE.'
261	'.get_sql_condition_FandF
262	(
263	array
264	(
265	'forbidden_categories' => 'id',
266	'visible_categories' => 'id'
267	),
268	'WHERE'
269	).'
270	;';
271	display_select_cat_wrapper($query, array(), 'category_options', true);
272
273	// include menubar
274	$themeconf = $template->get_template_vars('themeconf');
275	if (!isset($themeconf['hide_menu_on']) OR !in_array('theSearchPage', $themeconf['hide_menu_on']))
276	{
277	include( PHPWG_ROOT_PATH.'include/menubar.inc.php');
278	}
279
280	//------------------------------------------------------------ html code display
281	include(PHPWG_ROOT_PATH.'include/page_header.php');
282	trigger_notify('loc_end_search');
283	flush_page_messages();
284	$template->pparse('search');
285	include(PHPWG_ROOT_PATH.'include/page_tail.php');
286	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: