[mythtv] [PATCH] Mythweb -- generalized SQL queries, HD search, page of canned searches

[Chris Petersen]

> a) One can preface "hd:" to a search and find only programs broadcast in
> HDTV.

Good enough, but I think I'm going to make this a checkbox option like 
"exact match" -- you'll see the commit go in soon.

> b) One can provide a parameter "sql" which is a generalized SQL query for
> the "program" table to search.php.    This is mostly used below, but
> allows users to build complex queries, if they know their SQL, and bookmark
> them for future searching.

I can't allow this -- it's too blatant of a security risk.

> c) Added a new page of "Searches".  This page contains a list of links
> which are canned searches, largely generated using the sql search option.
> Coders can readily add new searches to the page that might be popular.
> Users can use that page, or go there once and bookmark them for future
> easy searching.   Thus only developers need know SQL.

I'd accept this kind of thing if you made a hash/database (in a config 
file?) of the searches, and referenced them that way.  Something like 
"search.php?custom_search=3star_moviesearch" that would link to the 
movie search with a filter of 3 stars minimum (etc).  Having something 
that can accept raw SQL on the URL string is just dangerous.

btw, you can't have whitespace in a URL, either.  Most browsers are 
smart enough to replace it with + or %20, but you can't rely on it (it's 
bad form, anyway).  any href="" stuff should be completely url encoded 
in the source.

-CHris