--- loncom/interface/lonsearchcat.pm	2001/03/21 12:19:53	1.60
+++ loncom/interface/lonsearchcat.pm	2001/03/22 13:10:06	1.64
@@ -477,6 +477,18 @@ sub advancedsearch {
     my %ENV=%{$envhash};
 
     my $fillflag=0;
+    # Clean up fields for safety
+    for my $field ('title','author','subject','keywords','url','version',
+		   'creationdatestart_month','creationdatestart_day',
+		   'creationdatestart_year','creationdateend_month',
+		   'creationdateend_day','creationdateend_year',
+		   'lastrevisiondatestart_month','lastrevisiondatestart_day',
+		   'lastrevisiondatestart_year','lastrevisiondateend_month',
+		   'lastrevisiondateend_day','lastrevisiondateend_year',
+		   'notes','abstract','mime','language','owner',
+		   'custommetadata') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-\"\']//g;
+    }
     for my $field ('title','author','subject','keywords','url','version',
 		   'notes','abstract','mime','language','owner',
 		   'custommetadata') {
@@ -524,17 +536,23 @@ sub advancedsearch {
 			$ENV{'form.lastrevisiondateend_day'},
 			$ENV{'form.lastrevisiondateend_year'},
 			);
-    if ($datequery!~/^Incorrect/) {
+    if ($datequery=~/^Incorrect/) {
+	&output_date_error($r,$datequery);
+	return OK;
+    }
+    elsif ($datequery) {
 	push @queries,$datequery;
     }
-    else {
-	&output_date_error($r,$datequery);
+    my $customquery;
+    if ($ENV{'form.custommetadata'}) {
+	$customquery=&build_custommetadata_query('custommetadata',
+				      $ENV{'form.custommetadata'});
     }
     if (@queries) {
 	$query=join(" AND ",@queries);
 	$query="select * from metadata where $query";
 	my $reply=&Apache::lonnet::metadata_query($query);
-	&output_results('Advanced',$r,$envhash,$query,$reply);
+	&output_results('Advanced',$r,$envhash,$customquery,$reply);
     }
     else {
 	&output_results('Advanced',$r,$envhash,$query);
@@ -558,6 +576,11 @@ sub basicsearch {
     my ($r,$envhash)=@_;
     my %ENV=%{$envhash};
 
+    # Clean up fields for safety
+    for my $field ('basicexp') {
+	$ENV{"form.$field"}=~s/[^\w\s\(\)\-]//g;
+    }
+
     unless (&filled($ENV{'form.basicexp'})) {
 	&output_blank_field_error($r);
 	return OK;
@@ -780,6 +803,17 @@ sub build_SQL_query {
     return $sql_query;
 }
 
+# ------------------------------------------------- build custom metadata query
+sub build_custommetadata_query {
+    my ($field_name,$logic_statement)=@_;
+    my $q=new Text::Query('abc',
+			  -parse => 'Text::Query::ParseAdvanced',
+			  -build => 'Text::Query::BuildAdvancedString');
+    $q->prepare($logic_statement);
+    my $matchexp=${$q}{'-parse'}{'-build'}{'matchstring'};
+    return $matchexp;
+}
+
 # - Recursively parse a reverse notation expression into a SQL query expression
 sub recursive_SQL_query_build {
     my ($dkey,$pattern)=@_;
@@ -917,8 +951,49 @@ END
 sub build_date_queries {
     my ($cmonth1,$cday1,$cyear1,$cmonth2,$cday2,$cyear2,
 	$lmonth1,$lday1,$lyear1,$lmonth2,$lday2,$lyear2)=@_;
-
-    return "Incorrect for some reason.";
+    my @queries;
+    if ($cmonth1 or $cday1 or $cyear1 or $cmonth2 or $cday2 or $cyear2) {
+	unless ($cmonth1 and $cday1 and $cyear1 and
+		$cmonth2 and $cday2 and $cyear2) {
+	    return "Incorrect entry for the creation date.  You must specify ".
+		   "a starting month, day, and year and an ending month, ".
+		   "day, and year.";
+	}
+	my $cnumeric1=sprintf("%d%2d%2d",$cyear1,$cmonth1,$cday1);
+	$cnumeric1+=0;
+	my $cnumeric2=sprintf("%d%2d%2d",$cyear2,$cmonth2,$cday2);
+	$cnumeric2+=0;
+	if ($cnumeric1>$cnumeric2) {
+	    return "Incorrect entry for the creation date.  The starting ".
+		   "date must occur before the ending date.";
+	}
+	my $cquery="(creationdate BETWEEN '$cyear1-$cmonth1-$cday1' AND '".
+	           "$cyear2-$cmonth2-$cday2 23:59:59')";
+	push @queries,$cquery;
+    }
+    if ($lmonth1 or $lday1 or $lyear1 or $lmonth2 or $lday2 or $lyear2) {
+	unless ($lmonth1 and $lday1 and $lyear1 and
+		$lmonth2 and $lday2 and $lyear2) {
+	    return "Incorrect entry for the last revision date.  You must ".
+		   "specify a starting month, day, and year and an ending ".
+		   "month, day, and year.";
+	}
+	my $lnumeric1=sprintf("%d%2d%2d",$lyear1,$lmonth1,$lday1);
+	$lnumeric1+=0;
+	my $lnumeric2=sprintf("%d%2d%2d",$lyear2,$lmonth2,$lday2);
+	$lnumeric2+=0;
+	if ($lnumeric1>$lnumeric2) {
+	    return "Incorrect entry for the last revision date.  The ".
+		   "starting date must occur before the ending date.";
+	}
+	my $lquery="(lastrevisiondate BETWEEN '$lyear1-$lmonth1-$lday1' AND '".
+	           "$lyear2-$lmonth2-$lday2 23:59:59')";
+	push @queries,$lquery;
+    }
+    if (@queries) {
+	return join(" AND ",@queries);
+    }
+    return '';
 }
 
 sub output_date_error {
@@ -961,5 +1036,8 @@ $message
 RESULTS
 }
 
+sub make_persistent {
+    $ENV{"form.$field"}=~s/\"/\\\"/g;
+}
 1;
 __END__