From 0f2b58a10d9baa66912d87faf96a0bb02859572e Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@gmail.com>
Date: Thu, 26 Feb 2015 17:11:51 +0900
Subject: [PATCH] =?UTF-8?q?=EC=83=81=ED=92=88=EA=B2=80=EC=83=89=20?=
 =?UTF-8?q?=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mobile/shop/search.php | 18 +++++++++++++++---
 shop/search.php        | 18 +++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/mobile/shop/search.php b/mobile/shop/search.php
index 584ea9952..9492da868 100644
--- a/mobile/shop/search.php
+++ b/mobile/shop/search.php
@@ -23,7 +23,17 @@ $qid     = isset($_GET['qid']) ? trim($_GET['qid']) : '';
 $qcaid   = isset($_GET['qcaid']) ? trim($_GET['qcaid']) : '';
 $qfrom   = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : '';
 $qto     = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : '';
-$qsort   = trim($_GET['qsort']);
+if (isset($_GET['qsort']))  {
+    $qsort = trim($_GET['qsort']);
+    $qsort = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $qsort);
+} else {
+    $qsort = '';
+}
+if (isset($_GET['qorder']))  {
+    $qorder = preg_match("/^(asc|desc)$/i", $qorder) ? $qorder : '';
+} else {
+    $qorder = '';
+}
 
 // 검색범위 checkbox 처리
 $qname_check = false;
@@ -71,7 +81,7 @@ if ($q) {
 if ($qcaid)
     $where[] = " a.ca_id like '$qcaid%' ";
 
-if ($qfrom || $qto)
+if ($qfrom && $qto)
     $where[] = " a.it_price between '$qfrom' and '$qto' ";
 
 $sql_where = " where " . implode(" and ", $where);
@@ -198,7 +208,9 @@ $total_page  = ceil($total_count / $items); // 전체 페이지 계산
             echo '<div>'.$error.'</div>';
         }
 
-        $query_string .= 'ca_id='.$ca_id.'&amp;q='.urlencode($q);
+        $query_string = 'qname='.$qname.'&amp;qexplan='.$qexplan.'&amp;qid='.$qid;
+        if($qfrom && $qto) $query_string .= '&amp;qfrom='.$qfrom.'&amp;qto='.$qto;
+        $query_string .= '&amp;qcaid='.$qcaid.'&amp;q='.urlencode($q);
         $query_string .='&amp;qsort='.$qsort.'&amp;qorder='.$qorder;
         echo get_paging($config['cf_mobile_pages'], $page, $total_page, $_SERVER['PHP_SELF'].'?'.$query_string.'&amp;page=');
         ?>
diff --git a/shop/search.php b/shop/search.php
index ba61dc4e3..11b127b0f 100644
--- a/shop/search.php
+++ b/shop/search.php
@@ -28,7 +28,17 @@ $qid     = isset($_GET['qid']) ? trim($_GET['qid']) : '';
 $qcaid   = isset($_GET['qcaid']) ? trim($_GET['qcaid']) : '';
 $qfrom   = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : '';
 $qto     = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : '';
-$qsort   = trim($_GET['qsort']);
+if (isset($_GET['qsort']))  {
+    $qsort = trim($_GET['qsort']);
+    $qsort = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $qsort);
+} else {
+    $qsort = '';
+}
+if (isset($_GET['qorder']))  {
+    $qorder = preg_match("/^(asc|desc)$/i", $qorder) ? $qorder : '';
+} else {
+    $qorder = '';
+}
 
 // 검색범위 checkbox 처리
 $qname_check = false;
@@ -76,7 +86,7 @@ if ($q) {
 if ($qcaid)
     $where[] = " a.ca_id like '$qcaid%' ";
 
-if ($qfrom || $qto)
+if ($qfrom && $qto)
     $where[] = " a.it_price between '$qfrom' and '$qto' ";
 
 $sql_where = " where " . implode(" and ", $where);
@@ -205,7 +215,9 @@ if ($is_admin) {
             echo '<div>'.$error.'</div>';
         }
 
-        $query_string .= 'ca_id='.$ca_id.'&amp;q='.urlencode($q);
+        $query_string = 'qname='.$qname.'&amp;qexplan='.$qexplan.'&amp;qid='.$qid;
+        if($qfrom && $qto) $query_string .= '&amp;qfrom='.$qfrom.'&amp;qto='.$qto;
+        $query_string .= '&amp;qcaid='.$qcaid.'&amp;q='.urlencode($q);
         $query_string .='&amp;qsort='.$qsort.'&amp;qorder='.$qorder;
         echo get_paging($config['cf_write_pages'], $page, $total_page, $_SERVER['PHP_SELF'].'?'.$query_string.'&amp;page=');
         ?>