From db800f3779e7ebab5a5cac12f3716877453702ca Mon Sep 17 00:00:00 2001
From: Justin Davis <jrcd83@gmail.com>
Date: Thu, 4 Nov 2010 11:03:21 -0700
Subject: [PATCH 2/3] Force info RPC to order results the same as arguments.

When returning multiple results, if a supplied argument is not found
to match any package, then null is returned in that result's place.

The index of the result in the array corresponds to the index of the
argument that matched the results.
---
 web/lib/aurjson.class.php |   48 ++++++++++++++++++++++++++++----------------
 1 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index 82db11b..754d7f5 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -125,33 +125,37 @@ class AurJSON {
             return $this->json_error('No result found');
         $base_query = "SELECT " . implode(',', $this->fields) .
             " FROM Packages WHERE DummyPkg=0 AND ";
-        $pqdatas = explode (' ', $pqdata);
-        $query_stub = "( false ";
-        foreach ($pqdatas as $pqdata) {
-            if ( is_numeric($pqdata) ) {
-                // just using sprintf to coerce the pqd to an int
-                // should handle sql injection issues, since sprintf will
-                // bork if not an int, or convert the string to a number 0
-                $query_stub .= " OR ID={$pqdata}";
+        $args = explode(' ', $pqdata);
+        $queries  = array();
+        for ( $i = 0 ; $i < count( $args ) ; ++$i ) {
+            $arg = $args[$i];
+            if ( is_numeric($arg) ) {
+                array_push( $queries, "ID=$arg" );
+                $args[$i] = array( "type" => "ID", "value" => $arg );
+                continue;
             }
-            else {
-                if(get_magic_quotes_gpc()) {
-                    $pqdata = stripslashes($pqdata);
-                }
-                $query_stub .= sprintf(" OR Name=\"%s\"",
-                    mysql_real_escape_string($pqdata));
+
+            if (get_magic_quotes_gpc()) {
+                $arg = stripslashes($pqdata);
             }
+            array_push( $queries,
+                        sprintf( "Name='%s'",
+                                 mysql_real_escape_string( $arg )));
+            $args[$i] = array( "type" => "Name", "value" => $arg );
         }
-        $query_stub .= " )";
 
-        $result = db_query($base_query.$query_stub, $this->dbh);
+        $base_query .= sprintf( "(%s)", implode( ' OR ', $queries ));
+
+        $result = db_query($base_query, $this->dbh);
 
         if ( !$result || mysql_num_rows($result) == 0 ) {
             return $this->json_error('No result found');
         }
 
-        $info_data = array();
+        /* Make sure args with no found match map to a JSON null */
+        $info_data = array_fill( 0, count( $args ), NULL );
         while ( $row = mysql_fetch_assoc($result)) {
+            /* Convert to UTF8 */
             foreach ( $row as $name => $value ) {
                 /* Do not give misleading errors about empty strings */
                 if ( $value == "" ) continue;
@@ -161,7 +165,15 @@ class AurJSON {
                                 ? "[PKGBUILD error: non-UTF8 character]"
                                 : $utf8_text );
             }
-            array_push($info_data, $row);
+
+            /* Force MYSQL results to correspond to order of args */
+            for ( $i = 0 ; $i < count( $args ); ++$i ) {
+                $col = $args[$i]["type"];
+                if ( $row[$col] == $args[$i]["value"] ) {
+                    $info_data[ $i ] = $row;
+                    break;
+                }
+            }
         }
         mysql_free_result($result);
         return $this->json_results('info', $info_data);
-- 
1.7.3