/************* HTTP VARIABLES *************/
/************* Note that "_raw" variables are direct from user: Danger, Will Robinson! *************/
$subject_raw = $_GET['subject'];
$yr_raw = $_GET['yr'];
//$key_raw = $_GET['key'];
$key_raw = $key;
$auth_raw = $_GET['auth'];
/************* GLOBAL VARIABLES *************/
include'db_variables.php';
$dbname = 'extension';
$dbtable1 = 'wfapmc';
$dbtable2 = 'wfapmcSubjects';
$cols = '*';
$sid = 'sid';
$year = 'year';
$keyword = 'keywords';
$author = 'authors';
$title = 'title';
/***** Prepare the queries, set the count variable and make sure the db is ready ******/
$mysql_link = mysql_connect($dbhost,$dbuser,$dbpass) or die ("Unable to Connect to Database Server");
/***** Use mysql_real_escape_string to quote all data from user to defeat SQL injection ****/
$subject = mysql_real_escape_string($subject_raw);
$yr = mysql_real_escape_string($yr_raw);
$key = mysql_real_escape_string($key_raw);
$auth = mysql_real_escape_string($auth_raw);
$sql = ("select $cols from $dbtable1 where $dbtable1.$year LIKE '$yr' AND $dbtable1.$sid LIKE '$subject' ORDER BY year DESC;");
$result = mysql_db_query($dbname,$sql);
$sql2 = ("select $cols from $dbtable2 where $dbtable2.$sid LIKE '$subject';");
$sidMatch = mysql_db_query($dbname,$sql2);
if($key)
{
$wherestringkey = "where $keyword LIKE '%$key%'";
$sql3 = ("select $cols from $dbtable1 $wherestringkey ORDER BY year DESC;");
$keySearch = mysql_db_query($dbname,$sql3);
}
if($auth)
{
$wherestringauth = "where $author LIKE '%$auth%'";
$sql4 = ("select $cols from $dbtable1 $wherestringauth AND $dbtable1.$year LIKE '$yr' ORDER BY year DESC;");
$authSearch = mysql_db_query($dbname,$sql4);
}
$count = 1;
/***** Print the year and subject in the blue rectangle above the output ******/
if($yr == "200%")
{
print "";
}
if($keySearch)
{
print "";
}
/***** Print the output, based on the type of search initiated ******/
if($result)
{
print "# | Title, Author, Org (year) | Presentation | Paper |
";
while($value = mysql_fetch_array($result))
{
print "$count | $value[6] $value[4], $value[5] ($value[2]) | ";
if($value[9] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
if($value[10] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
print "
";
$count++;
}
mysql_free_result($result);
}
// keyword search needs to be able handle multiple input params
if($keySearch)
{
while($record = mysql_fetch_array($keySearch))
{
print "$count | $record[6] $record[4], $record[5] ($record[2]) | ";
if($record[9] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
if($record[10] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
print "
";
$count++;
}
mysql_free_result($keySearch);
}
if($authSearch)
{
while($getauth = mysql_fetch_array($authSearch))
{
print "$count | $getauth[6] $getauth[4], $getauth[5] ($getauth[2]) | ";
if($getauth[9] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
if($getauth[10] == 'none')
{
print "Not Available | ";
}
else
{
print " | ";
}
print "
";
$count++;
}
mysql_free_result($authSearch);
mysql_close();
}
?>