--- loncom/interface/lonsearchcat.pm	2001/03/21 03:37:43	1.58
+++ loncom/interface/lonsearchcat.pm	2001/03/22 13:26:59	1.66
@@ -477,6 +477,18 @@ sub advancedsearch {
     my %ENV=%{$envhash};
 
     my $fillflag=0;
+    # Clean up fields for safety
+    for my $field ('title','author','subject','keywords','url','version',
+		   'creationdatestart_month','creationdatestart_day',
+		   'creationdatestart_year','creationdateend_month',
+		   'creationdateend_day','creationdateend_year',
+		   'lastrevisiondatestart_month','lastrevisiondatestart_day',
+		   'lastrevisiondatestart_year','lastrevisiondateend_month',
+		   'lastrevisiondateend_day','lastrevisiondateend_year',
+		   'notes','abstract','mime','language','owner',
+		   'custommetadata') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-\"\']//g;
+    }
     for my $field ('title','author','subject','keywords','url','version',
 		   'notes','abstract','mime','language','owner',
 		   'custommetadata') {
@@ -502,19 +514,45 @@ sub advancedsearch {
 	}
     }
     if ($ENV{'form.language'} and $ENV{'form.language'} ne 'any') {
-	push @queries,"language like $ENV{'form.language'}";
+	push @queries,"(language like \"\%$ENV{'form.language'}\%\")";
     }
     if ($ENV{'form.mime'} and $ENV{'form.mime'} ne 'any') {
-	push @queries,"mime like $ENV{'form.mime'}";
+	push @queries,"(mime like \"\%$ENV{'form.mime'}\%\")";
     }
     if ($ENV{'form.copyright'} and $ENV{'form.copyright'} ne 'any') {
-	push @queries,"copyright like $ENV{'form.copyright'}";
+	push @queries,"(copyright like \"\%$ENV{'form.copyright'}\%\")";
+    }
+    my $datequery=&build_date_queries(
+			$ENV{'form.creationdatestart_month'},
+			$ENV{'form.creationdatestart_day'},
+			$ENV{'form.creationdatestart_year'},
+			$ENV{'form.creationdateend_month'},
+			$ENV{'form.creationdateend_day'},
+			$ENV{'form.creationdateend_year'},
+			$ENV{'form.lastrevisiondatestart_month'},
+			$ENV{'form.lastrevisiondatestart_day'},
+			$ENV{'form.lastrevisiondatestart_year'},
+			$ENV{'form.lastrevisiondateend_month'},
+			$ENV{'form.lastrevisiondateend_day'},
+			$ENV{'form.lastrevisiondateend_year'},
+			);
+    if ($datequery=~/^Incorrect/) {
+	&output_date_error($r,$datequery);
+	return OK;
+    }
+    elsif ($datequery) {
+	push @queries,$datequery;
+    }
+    my $customquery;
+    if ($ENV{'form.custommetadata'}) {
+	$customquery=&build_custommetadata_query('custommetadata',
+				      $ENV{'form.custommetadata'});
     }
     if (@queries) {
 	$query=join(" AND ",@queries);
 	$query="select * from metadata where $query";
 	my $reply=&Apache::lonnet::metadata_query($query);
-	&output_results('Advanced',$r,$envhash,$query,$reply);
+	&output_results('Advanced',$r,$envhash,$customquery,$reply);
     }
     else {
 	&output_results('Advanced',$r,$envhash,$query);
@@ -538,6 +576,11 @@ sub basicsearch {
     my ($r,$envhash)=@_;
     my %ENV=%{$envhash};
 
+    # Clean up fields for safety
+    for my $field ('basicexp') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-]//g;
+    }
+
     unless (&filled($ENV{'form.basicexp'})) {
 	&output_blank_field_error($r);
 	return OK;
@@ -557,17 +600,7 @@ sub basicsearch {
 sub output_blank_field_error {
     my ($r)=@_;
     # make query information persistent to allow for subsequent revision
-    my $persistent='';
-    map {
-	if (/^form\./ && !/submit/) {
-	    my $name=$_;
-	    my $key=$name;
-	    $name=~s/^form\.//;
-	    $persistent.=<<END;
-<INPUT TYPE='hidden' NAME='$name' VALUE='$ENV{$key}'>
-END
-        }
-    } (keys %ENV);
+    my $persistent=&make_persistent();
 
     $r->print(<<BEGINNING);
 <html>
@@ -676,17 +709,7 @@ END
 	}
 
 	# make query information persistent to allow for subsequent revision
-	my $persistent='';
-	map {
-	    if (/^form\./ && !/submit/) {
-		my $name=$_;
-		my $key=$name;
-		$name=~s/^form\.//;
-		$persistent.=<<END;
-<INPUT TYPE='hidden' NAME='$name' VALUE='$ENV{$key}'>
-END
-            }
-	} (keys %ENV);
+	my $persistent=&make_persistent();
 
 	$r->print(<<BEGINNING);
 <html>
@@ -760,6 +783,17 @@ sub build_SQL_query {
     return $sql_query;
 }
 
+# ------------------------------------------------- build custom metadata query
+sub build_custommetadata_query {
+    my ($field_name,$logic_statement)=@_;
+    my $q=new Text::Query('abc',
+			  -parse => 'Text::Query::ParseAdvanced',
+			  -build => 'Text::Query::BuildAdvancedString');
+    $q->prepare($logic_statement);
+    my $matchexp=${$q}{'-parse'}{'-build'}{'matchstring'};
+    return $matchexp;
+}
+
 # - Recursively parse a reverse notation expression into a SQL query expression
 sub recursive_SQL_query_build {
     my ($dkey,$pattern)=@_;
@@ -894,5 +928,99 @@ END
     return $result;
 }
 
+sub build_date_queries {
+    my ($cmonth1,$cday1,$cyear1,$cmonth2,$cday2,$cyear2,
+	$lmonth1,$lday1,$lyear1,$lmonth2,$lday2,$lyear2)=@_;
+    my @queries;
+    if ($cmonth1 or $cday1 or $cyear1 or $cmonth2 or $cday2 or $cyear2) {
+	unless ($cmonth1 and $cday1 and $cyear1 and
+		$cmonth2 and $cday2 and $cyear2) {
+	    return "Incorrect entry for the creation date.  You must specify ".
+		   "a starting month, day, and year and an ending month, ".
+		   "day, and year.";
+	}
+	my $cnumeric1=sprintf("%d%2d%2d",$cyear1,$cmonth1,$cday1);
+	$cnumeric1+=0;
+	my $cnumeric2=sprintf("%d%2d%2d",$cyear2,$cmonth2,$cday2);
+	$cnumeric2+=0;
+	if ($cnumeric1>$cnumeric2) {
+	    return "Incorrect entry for the creation date.  The starting ".
+		   "date must occur before the ending date.";
+	}
+	my $cquery="(creationdate BETWEEN '$cyear1-$cmonth1-$cday1' AND '".
+	           "$cyear2-$cmonth2-$cday2 23:59:59')";
+	push @queries,$cquery;
+    }
+    if ($lmonth1 or $lday1 or $lyear1 or $lmonth2 or $lday2 or $lyear2) {
+	unless ($lmonth1 and $lday1 and $lyear1 and
+		$lmonth2 and $lday2 and $lyear2) {
+	    return "Incorrect entry for the last revision date.  You must ".
+		   "specify a starting month, day, and year and an ending ".
+		   "month, day, and year.";
+	}
+	my $lnumeric1=sprintf("%d%2d%2d",$lyear1,$lmonth1,$lday1);
+	$lnumeric1+=0;
+	my $lnumeric2=sprintf("%d%2d%2d",$lyear2,$lmonth2,$lday2);
+	$lnumeric2+=0;
+	if ($lnumeric1>$lnumeric2) {
+	    return "Incorrect entry for the last revision date.  The ".
+		   "starting date must occur before the ending date.";
+	}
+	my $lquery="(lastrevisiondate BETWEEN '$lyear1-$lmonth1-$lday1' AND '".
+	           "$lyear2-$lmonth2-$lday2 23:59:59')";
+	push @queries,$lquery;
+    }
+    if (@queries) {
+	return join(" AND ",@queries);
+    }
+    return '';
+}
+
+sub output_date_error {
+    my ($r,$message)=@_;
+    # make query information persistent to allow for subsequent revision
+    my $persistent=&make_persistent();
+
+    $r->print(<<BEGINNING);
+<html>
+<head>
+<title>The LearningOnline Network with CAPA</title>
+BEGINNING
+    $r->print(<<RESULTS);
+</head>
+<body bgcolor="#ffffff">
+<img align=right src=/adm/lonIcons/lonlogos.gif>
+<h1>Search Catalog</h1>
+<form method="post" action="/adm/searchcat">
+$persistent
+<input type='button' value='Revise search request'
+onClick='this.form.submit();'>
+$closebutton
+<hr>
+<h3>Helpful Message</h3>
+<p>
+$message
+</p>
+</body>
+</html>
+RESULTS
+}
+
+sub make_persistent {
+    my $persistent='';
+    
+    map {
+	if (/^form\./ && !/submit/) {
+	    my $name=$_;
+	    my $key=$name;
+	    $ENV{$key}=~s/\"/\\\"/g;
+	    $name=~s/^form\.//;
+	    $persistent.=<<END;
+<INPUT TYPE='hidden' NAME='$name' VALUE='$ENV{$key}'>
+END
+        }
+    } (keys %ENV);
+    return $persistent;
+}
 1;
 __END__