--- loncom/interface/lonsearchcat.pm	2001/03/21 12:58:30	1.63
+++ loncom/interface/lonsearchcat.pm	2001/03/22 13:10:06	1.64
@@ -477,6 +477,18 @@ sub advancedsearch {
     my %ENV=%{$envhash};
 
     my $fillflag=0;
+    # Clean up fields for safety
+    for my $field ('title','author','subject','keywords','url','version',
+		   'creationdatestart_month','creationdatestart_day',
+		   'creationdatestart_year','creationdateend_month',
+		   'creationdateend_day','creationdateend_year',
+		   'lastrevisiondatestart_month','lastrevisiondatestart_day',
+		   'lastrevisiondatestart_year','lastrevisiondateend_month',
+		   'lastrevisiondateend_day','lastrevisiondateend_year',
+		   'notes','abstract','mime','language','owner',
+		   'custommetadata') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-\"\']//g;
+    }
     for my $field ('title','author','subject','keywords','url','version',
 		   'notes','abstract','mime','language','owner',
 		   'custommetadata') {
@@ -531,11 +543,16 @@ sub advancedsearch {
     elsif ($datequery) {
 	push @queries,$datequery;
     }
+    my $customquery;
+    if ($ENV{'form.custommetadata'}) {
+	$customquery=&build_custommetadata_query('custommetadata',
+				      $ENV{'form.custommetadata'});
+    }
     if (@queries) {
 	$query=join(" AND ",@queries);
 	$query="select * from metadata where $query";
 	my $reply=&Apache::lonnet::metadata_query($query);
-	&output_results('Advanced',$r,$envhash,$query,$reply);
+	&output_results('Advanced',$r,$envhash,$customquery,$reply);
     }
     else {
 	&output_results('Advanced',$r,$envhash,$query);
@@ -559,6 +576,11 @@ sub basicsearch {
     my ($r,$envhash)=@_;
     my %ENV=%{$envhash};
 
+    # Clean up fields for safety
+    for my $field ('basicexp') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-]//g;
+    }
+
     unless (&filled($ENV{'form.basicexp'})) {
 	&output_blank_field_error($r);
 	return OK;
@@ -781,6 +803,17 @@ sub build_SQL_query {
     return $sql_query;
 }
 
+# ------------------------------------------------- build custom metadata query
+sub build_custommetadata_query {
+    my ($field_name,$logic_statement)=@_;
+    my $q=new Text::Query('abc',
+			  -parse => 'Text::Query::ParseAdvanced',
+			  -build => 'Text::Query::BuildAdvancedString');
+    $q->prepare($logic_statement);
+    my $matchexp=${$q}{'-parse'}{'-build'}{'matchstring'};
+    return $matchexp;
+}
+
 # - Recursively parse a reverse notation expression into a SQL query expression
 sub recursive_SQL_query_build {
     my ($dkey,$pattern)=@_;
@@ -1003,5 +1036,8 @@ $message
 RESULTS
 }
 
+sub make_persistent {
+    $ENV{"form.$field"}=~s/\"/\\\"/g;
+}
 1;
 __END__