Code: Select all
<?php
header("Content-type: text/xml");
echo("<?xml version='1.0' ?>\n");
function estimate($string)
{
$stringLength = strlen($string);
$subtract = floor($stringLength*.20);
$newString = substr($string,0,$stringLength-$subtract);
return trim($newString);
}
// Sanitizes user inputs
// Usage: $cleanArray = sanitize($taintedArray);
function sanitize($arr)
{
foreach ($arr as $key => $value)
{
$arr[$key] = trim(preg_replace("/[^0-9a-zA-Z@. _?\n,:\/'-]/", "", $arr[$key]));
$arr[$key] = str_replace("'","''",$arr[$key]); # For SQL inserts
}
return ($arr);
}
// Remove apostraphe from strings
function stripApost($data)
{
return preg_replace (
array (
"/'/" // remove single apostraphe
),
array (
'' // ... nothing
),
$data);
}
// Sanitize tainted data
$_GET = sanitize($_GET);
// Use first 80% of user variables to guess possible matches
$firstname = isset($_GET['fName']) ? estimate($_GET['fName']) : "";
$lastname = isset($_GET['lName']) ? estimate($_GET['lName']) : "";
$street = isset($_GET['street']) ? estimate($_GET['street']) : "";
$area = isset($_GET['area']) ? estimate($_GET['area']) : "";
$postcode = isset($_GET['postcode']) ? estimate($_GET['postcode']) : "";
$tel = isset($_GET['tel']) ? estimate($_GET['tel']) : "";
$email = isset($_GET['email']) ? estimate($_GET['email']) : "";
$db = mysql_connect("localhost","root","") or die("unable to perform action");
mysql_select_db("project",$db) or die("unable to perform action");
$sql = "
SELECT b.photo, b.advert_ID FROM property a INNER JOIN property_advert b ON a.property_ID = b.property_ID
";
$sql3 = "SELECT photo FROM property_advert WHERE property_ID = 2";
if ($lastname) $sql .= "AND lName LIKE '$lastname%' ";
if ($street) $sql .= "AND street LIKE '$street%' ";
if ($area) $sql .= "AND city LIKE '$area%' ";
if ($postcode) $sql .= "AND postcode LIKE '$postcode%' ";
if ($tel) $sql .= "AND private_tel LIKE '$tel%' ";
if ($email) $sql .= "AND email LIKE '$email%' ";
$result = mysql_query($sql);
$result2 = mysql_query($sql3);
$photo=mysql_result($result2,"photo");
?>
<owners>
<?
if ($myrow = mysql_fetch_array($result)) {
do {
?>
<entry id='<?=$myrow['advert_ID']?>001'>
<title><?=$myrow['advert_ID']?></title>
<image><?=$myrow['photo']?></image>
</entry>
<?
}while ($myrow = mysql_fetch_array($result));
}else{
?>
<entry id='001'>
</entry>
<?
}
?>
</owners>