Added trim for improving advanced search - partial CT#384

16 years ago · d64cfead29
parent 91fe686d66
commit d64cfead29
11 changed files with 39 additions and 39 deletions
--- a/main/admin/course_list.php
+++ b/main/admin/course_list.php
@ -39,7 +39,7 @@ function get_number_of_courses()

 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%'";
 	}
 	elseif (isset ($_GET['keyword_code']))
@ -81,7 +81,7 @@ function get_course_data($from, $number_of_items, $column, $direction)

 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE title LIKE '%".$keyword."%' OR code LIKE '%".$keyword."%' OR visual_code LIKE '%".$keyword."%'";
 	}
 	elseif (isset ($_GET['keyword_code']))
--- a/main/admin/group_list.php
+++ b/main/admin/group_list.php
@ -40,7 +40,7 @@ function get_number_of_groups()
    }
 */
 	if ( isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE (g.name LIKE '%".$keyword."%' OR g.description LIKE '%".$keyword."%'  OR  g.url LIKE '%".$keyword."%' )";	
 	}

@ -82,7 +82,7 @@ function get_group_data($from, $number_of_items, $column, $direction)
    }*/

 	if (isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE (g.name LIKE '%".$keyword."%' OR g.description LIKE '%".$keyword."%'  OR  g.url LIKE '%".$keyword."%' )";
 	} 
 	/*
@ -140,7 +140,7 @@ function get_recent_group_data($from =0 , $number_of_items = 5, $column, $direct
    }*/

 	if (isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE (g.name LIKE '%".$keyword."%' OR g.description LIKE '%".$keyword."%'  OR  g.url LIKE '%".$keyword."%' )";
 	} 
 	/*
--- a/main/admin/session_category_list.php
+++ b/main/admin/session_category_list.php
@ -66,10 +66,10 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 	$from = $page * $limit;
 	//if user is crfp admin only list its sessions
 	if(!api_is_platform_admin()) {
-		$where .= (empty($_REQUEST['keyword']) ? " " : " WHERE name LIKE '%".addslashes($_REQUEST['keyword'])."%'");
+		$where .= (empty($_REQUEST['keyword']) ? " " : " WHERE name LIKE '%".Database::escape_string(trim($_REQUEST['keyword']))."%'");
 	}
 	else {
-		$where .= (empty($_REQUEST['keyword']) ? " " : " WHERE name LIKE '%".addslashes($_REQUEST['keyword'])."%'");
+		$where .= (empty($_REQUEST['keyword']) ? " " : " WHERE name LIKE '%".Database::escape_string(trim($_REQUEST['keyword']))."%'");
 	}

 	$query = "SELECT sc.*, (select count(id) FROM $tbl_session WHERE session_category_id = sc.id) as nbr_session
--- a/main/admin/session_list.php
+++ b/main/admin/session_list.php
@ -85,13 +85,13 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 	
 	//Prevent hacking keyword
 	if ( isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		} else if (isset ($_GET['keyword_name'])) {
-			$keyword_name = Database::escape_string($_GET['keyword_name']);
-			$keyword_category = Database::escape_string($_GET['keyword_category']);
-			$keyword_visibility = Database::escape_string($_GET['keyword_visibility']);
-			$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
-			$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
+			$keyword_name = Database::escape_string(trim($_GET['keyword_name']));
+			$keyword_category = Database::escape_string(trim($_GET['keyword_category']));
+			$keyword_visibility = Database::escape_string(trim($_GET['keyword_visibility']));
+			$keyword_firstname = Database::escape_string(trim($_GET['keyword_firstname']));
+			$keyword_lastname = Database::escape_string(trim($_GET['keyword_lastname']));
 			}
 	
 	//Process for the search advanced
@ -218,7 +218,7 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 		if($num>$limit){
 			if($page) {
 			?>
-			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page-1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo $_REQUEST['keyword']; ?><?php echo @$cond_url; ?>"><?php echo get_lang('Previous'); ?></a>
+			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page-1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo Security::remove_XSS($_REQUEST['keyword']); ?><?php echo @$cond_url; ?>"><?php echo get_lang('Previous'); ?></a>
 			<?php
 			} else {
 				echo get_lang('Previous');
@ -228,7 +228,7 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 			<?php
 			if($nbr_results > $limit) {
 				?>
-				<a href="<?php echo api_get_self(); ?>?page=<?php echo $page+1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo $_REQUEST['keyword']; ?><?php echo @$cond_url; ?>"><?php echo get_lang('Next'); ?></a>
+				<a href="<?php echo api_get_self(); ?>?page=<?php echo $page+1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo Security::remove_XSS($_REQUEST['keyword']); ?><?php echo @$cond_url; ?>"><?php echo get_lang('Next'); ?></a>
 				<?php
 			} else {
 				echo get_lang('Next');
@ -318,7 +318,7 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 			{
 			?>

-			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page-1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo $_REQUEST['keyword']; ?><?php echo @$cond_url; ?>"><?php echo get_lang('Previous'); ?></a>
+			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page-1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo Security::remove_XSS($_REQUEST['keyword']); ?><?php echo @$cond_url; ?>"><?php echo get_lang('Previous'); ?></a>

 			<?php
 			}
@ -335,7 +335,7 @@ if (isset ($_GET['search']) && $_GET['search'] == 'advanced') {
 			{
 			?>

-			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page+1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo $_REQUEST['keyword']; ?><?php echo @$cond_url; ?>"><?php echo get_lang('Next'); ?></a>
+			<a href="<?php echo api_get_self(); ?>?page=<?php echo $page+1; ?>&sort=<?php echo $sort; ?>&keyword=<?php echo Security::remove_XSS($_REQUEST['keyword']); ?><?php echo @$cond_url; ?>"><?php echo get_lang('Next'); ?></a>

 			<?php
 			}
--- a/main/admin/statistics/statistics.lib.php
+++ b/main/admin/statistics/statistics.lib.php
@ -93,7 +93,7 @@ class Statistics
 		$sql = "SELECT count(default_id) AS total_number_of_items FROM $track_e_default, $table_user user WHERE default_user_id = user.user_id ";

 		if (isset($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (user.username LIKE '%".$keyword."%' OR default_event_type LIKE '%".$keyword."%' OR default_value_type LIKE '%".$keyword."%' OR default_value LIKE '%".$keyword."%') ";
 		}

@ -121,7 +121,7 @@ class Statistics
 				WHERE track_default.default_user_id = user.user_id ";

 		if (isset($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (user.username LIKE '%".$keyword."%' OR default_event_type LIKE '%".$keyword."%' OR default_value_type LIKE '%".$keyword."%' OR default_value LIKE '%".$keyword."%') ";
 		}

--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@ -269,8 +269,8 @@ function get_number_of_users()
    }

 	if ( isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
-		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%'  OR u.username LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%') ";
+		$keyword = Database::escape_string(trim($_GET['keyword']));
+		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%'  OR concat(u.firstname,' ',u.lastname) LIKE '%".$keyword."%'  OR concat(u.lastname,' ',u.firstname) LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%') ";
 	} elseif (isset ($_GET['keyword_firstname'])) {
 		$admin_table = Database :: get_main_table(TABLE_MAIN_ADMIN);
 		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
@ -350,8 +350,8 @@ function get_user_data($from, $number_of_items, $column, $direction)
    }

 	if (isset ($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
-		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%'  OR u.username LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' )";
+		$keyword = Database::escape_string(trim($_GET['keyword']));
+		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR concat(u.firstname,' ',u.lastname) LIKE '%".$keyword."%' OR concat(u.lastname,' ',u.firstname) LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' )";
 	} elseif (isset ($_GET['keyword_firstname'])) {
 		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
 		$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
--- a/main/reservation/rsys.php
+++ b/main/reservation/rsys.php
@ -286,8 +286,8 @@ class Rsys {
 	function get_table_categories($from, $per_page, $column, $direction) {
 		$sql = "SELECT id AS col0, name as col1, id AS col2 FROM ".Rsys :: getTable("category");
 		if (isset ($_GET['keyword'])) {
-			$keyword = Database::escape_string($_GET['keyword']);
-			$sql .= " WHERE name LIKE '%".Database::escape_string($keyword)."%' OR id LIKE '%".Database::escape_string($keyword)."%'";
+			$keyword = Database::escape_string(trim($_GET['keyword']));
+			$sql .= " WHERE name LIKE '%".$keyword."%' OR id LIKE '%".$keyword."%'";
 		}
 		$from = intval($from);
 		$per_page = intval($per_page);
@ -311,8 +311,8 @@ class Rsys {
 	function get_num_categories() {
 		$sql = "SELECT COUNT(id) FROM ".Rsys :: getTable("category");
 		if (isset ($_GET['keyword'])) {
-			$keyword = Database::escape_string($_GET['keyword']);
-			$sql .= " WHERE name LIKE '%".Database::escape_string($keyword)."%' OR id LIKE '%".Database::escape_string($keyword)."%'";
+			$keyword = Database::escape_string(trim($_GET['keyword']));
+			$sql .= " WHERE name LIKE '%".$keyword."%' OR id LIKE '%".$keyword."%'";
 		}
 		return @ Database::result(Database::query($sql, __FILE__, __LINE__), 0, 0);
 	}
@ -962,7 +962,7 @@ class Rsys {
                LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
                WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."') OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")";
 		if (isset ($_GET['keyword'])) {
-			$keyword = Database::escape_string($_GET['keyword']);
+			$keyword = Database::escape_string(trim($_GET['keyword']));
 			$sql .= "AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
 		}

@ -1033,7 +1033,7 @@ class Rsys {
                LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id
                WHERE ((ir.m_reservation=1 AND cu.user_id='".api_get_user_id()."') OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).')';
        if (isset ($_GET['keyword'])) {
-            $keyword = Database::escape_string($_GET['keyword']);
+            $keyword = Database::escape_string(trim($_GET['keyword']));
            $sql .= " AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')";
        }
 		return Database::result(Database::query($sql, __FILE__, __LINE__), 0, 0);
@ -1220,7 +1220,7 @@ class Rsys {
 					OR i2.creator='".api_get_user_id()."'
 					OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
      		if (isset ($_GET['keyword'])) {
-            		$keyword = Database::escape_string($_GET['keyword']);
+            		$keyword = Database::escape_string(trim($_GET['keyword']));
            		$sql .= " AND (i1.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
        	}
 		return Database::result(Database::query($sql, __FILE__, __LINE__), 0, 0);
@ -1256,7 +1256,7 @@ class Rsys {
 					OR i2.creator='".api_get_user_id()."'
 					OR 1=". (api_is_platform_admin() ? 1 : 0)."))";
      		if (isset ($_GET['keyword'])) {
-            		$keyword = Database::escape_string($_GET['keyword']);
+            		$keyword = Database::escape_string(trim($_GET['keyword']));
            		$sql .= " AND (i1.name LIKE '%".$keyword."%' or c.name LIKE '%".$keyword."%' or r1.start_at LIKE '%".$keyword."%' or r1.end_at LIKE '%".$keyword."%' or u.lastname LIKE '%".$keyword."%' or u.firstname LIKE '%".$keyword."%' or s.start_at LIKE '%".$keyword."%' or s.end_at LIKE '%".$keyword."%')";
        	}
 		$sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page;
--- a/main/tracking/courseLog.php
+++ b/main/tracking/courseLog.php
@ -143,7 +143,7 @@ function count_item_resources() {
 			" WHERE track_resource.insert_user_id = user.user_id";

 	if (isset($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (user.username LIKE '%".$keyword."%' OR lastedit_type LIKE '%".$keyword."%' OR tool LIKE '%".$keyword."%')";
 	}

@ -169,7 +169,7 @@ function get_item_resources_data($from, $number_of_items, $column, $direction) {
 			WHERE track_resource.insert_user_id = user.user_id ";

 	if (isset($_GET['keyword'])) {
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (user.username LIKE '%".$keyword."%' OR lastedit_type LIKE '%".$keyword."%' OR tool LIKE '%".$keyword."%') ";
 	}

--- a/main/user/class.php
+++ b/main/user/class.php
@ -117,7 +117,7 @@ function get_number_of_classes()
 	$sql = "SELECT c.id	FROM $class_table c, $course_class_table cc WHERE cc.class_id = c.id AND cc.course_code ='".$_SESSION['_course']['id']."'";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	$res = Database::query($sql, __FILE__, __LINE__);
@ -146,7 +146,7 @@ function get_class_data($from, $number_of_items, $column, $direction)
 	$sql .= " WHERE c.id = cc.class_id AND cc.course_code = '".$_SESSION['_course']['id']."'";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	$sql .= " GROUP BY c.id, c.name ";
--- a/main/user/subscribe_class.php
+++ b/main/user/subscribe_class.php
@ -125,7 +125,7 @@ function get_number_of_classes()
 	$sql = "SELECT c.id	FROM $class_table c WHERE 1 = 1";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	if( count($subscribed_classes) > 0)
@ -162,7 +162,7 @@ function get_class_data($from, $number_of_items, $column, $direction)
 	$sql .= " WHERE 1 = 1";
 	if (isset ($_GET['keyword']))
 	{
-		$keyword = Database::escape_string($_GET['keyword']);
+		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " AND (c.name LIKE '%".$keyword."%')";
 	}
 	if( count($subscribed_classes) > 0)
--- a/main/user/subscribe_user.php
+++ b/main/user/subscribe_user.php
@ -324,7 +324,7 @@ function get_number_of_users() {

 	// when there is a keyword then we are searching and we have to change the SQL statement
 	if (isset ($_REQUEST['keyword'])) {
-		$keyword = Database::escape_string($_REQUEST['keyword']);
+		$keyword = Database::escape_string(trim($_REQUEST['keyword']));
 		$sql .= " AND (firstname LIKE '%".$keyword."%' OR lastname LIKE '%".$keyword."%'   OR email LIKE '%".$keyword."%'  OR username LIKE '%".$keyword."%'  OR official_code LIKE '%".$keyword."%')";
 		
 		// we also want to search for users who have something in their profile fields that matches the keyword
@ -574,7 +574,7 @@ function get_user_data($from, $number_of_items, $column, $direction) {

 	// adding additional WHERE statements to the SQL for the search functionality
 	if (isset ($_REQUEST['keyword'])) {
-		$keyword = Database::escape_string($_REQUEST['keyword']);
+		$keyword = Database::escape_string(trim($_REQUEST['keyword']));
 		$sql .= " AND (firstname LIKE '%".$keyword."%' OR lastname LIKE '%".$keyword."%'   OR email LIKE '%".$keyword."%'  OR username LIKE '%".$keyword."%'  OR official_code LIKE '%".$keyword."%')";
 		
 		if (api_get_setting('ProfilingFilterAddingUsers') == 'true') {