Skip to content

Commit

Permalink
Clean up and secure demographics.php and related scripts-functions (r…
Browse files Browse the repository at this point in the history 
…emove fake globals, run global undomagicquotes, integrate binding into sql queries to prevent sql-injection and integrate htmlspecialchars to prevent xss attacks)
  • Loading branch information
bradymiller committed Jun 23, 2010
1 parent 28f0259 commit c0bfa8a
Show file tree
Hide file tree
Showing 7 changed files with 280 additions and 201 deletions.
236 changes: 135 additions & 101 deletions interface/patient_file/summary/demographics.php
View file

Large diffs are not rendered by default.

17 changes: 13 additions & 4 deletions interface/patient_file/summary/patient_picture.php
View file
@@ -1,15 +1,24 @@
<?php

//SANITIZE ALL ESCAPES
$sanitize_all_escapes=true;
//

//STOP FAKE REGISTER GLOBALS
$fake_register_globals=false;
//

require_once("../../globals.php");
require_once("$srcdir/sql.inc");
function pic_array() {
$picture_directory = "Patient Photograph"; //change this if you want
$pics = array();
$sql_query = "select documents.id from documents join categories_to_documents on documents.id = categories_to_documents.document_id join categories on categories.id = categories_to_documents.category_id where categories.name like '$picture_directory' and documents.foreign_id = ".$_SESSION['pid'];
if ($query = sqlStatement($sql_query)) {
while ($results = mysql_fetch_array($query)) {
$sql_query = "select documents.id from documents join categories_to_documents on documents.id = categories_to_documents.document_id join categories on categories.id = categories_to_documents.category_id where categories.name like ? and documents.foreign_id = ?";
if ($query = sqlStatement($sql_query, array($picture_directory, $_SESSION['pid']) )) {
while( $results = sqlFetchArray($query) ) {
$tmp = $results['id'];
if (isset($tmp)) {
array_push($pics,"<div name='Patient Photograph' class='patient_pic'><img src='".$GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".$_SESSION['pid']."&document_id=".$tmp."&as_file=false' alt='Patient Photograph'></div>\n");
array_push($pics,"<div name='Patient Photograph' class='patient_pic'><img src='".$GLOBALS['webroot']."/controller.php?document&retrieve&patient_id=".htmlspecialchars($_SESSION['pid'],ENT_QUOTES)."&document_id=".htmlspecialchars($tmp,ENT_QUOTES)."&as_file=false' alt='Patient Photograph'></div>\n");
}
}
}
Expand Down
54 changes: 36 additions & 18 deletions interface/patient_file/summary/pnotes_fragment.php
View file
Expand Up @@ -4,6 +4,14 @@
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.

//SANITIZE ALL ESCAPES
$sanitize_all_escapes=true;
//

//STOP FAKE REGISTER GLOBALS
$fake_register_globals=false;
//

require_once("../../globals.php");
require_once("$srcdir/pnotes.inc");
require_once("$srcdir/acl.inc");
Expand Down Expand Up @@ -35,26 +43,26 @@
$thisauth = 0;
}
if (!$thisauth) {
echo "<p>(" . xl('Notes not authorized') . ")</p>\n";
echo "<p>(" . htmlspecialchars(xl('Notes not authorized'),ENT_NOQUOTES) . ")</p>\n";
} else { ?>

<table width='100%'>

<?php

$conn = $GLOBALS['adodb']['db'];

// Get the billing note if there is one.
$billing_note = "";
$colorbeg = "";
$colorend = "";
$sql = "select genericname2, genericval2 " .
"from patient_data where pid = '$pid' limit 1";
$resnote = $conn->Execute($sql);
if($resnote && !$resnote->EOF && $resnote->fields['genericname2'] == 'Billing') {
$billing_note = $resnote->fields['genericval2'];
$colorbeg = "<span style='color:red'>";
$colorend = "</span>";
"from patient_data where pid = ? limit 1";
$resnote = sqlQuery($sql, array($pid) );
if ($resnote) {
if ($resnote['genericname2'] == 'Billing') {
$billing_note = $resnote['genericval2'];
$colorbeg = "<span style='color:red'>";
$colorend = "</span>";
}
}

//Display what the patient owes
Expand All @@ -63,14 +71,18 @@
$has_note = 1;
$formatted = oeFormatMoney($balance);
echo " <tr class='text billing'>\n";
echo " <td>".$colorbeg.xl('Balance Due').$colorend."</td><td>".$colorbeg.$formatted.$colorend."</td>\n";
echo " <td>".$colorbeg.
htmlspecialchars(xl('Balance Due'),ENT_NOQUOTES).$colorend."</td><td>".$colorbeg.
htmlspecialchars($formatted,ENT_NOQUOTES).$colorend."</td>\n";
echo " </tr>\n";
}

if ($billing_note) {
$has_note = 1;
echo " <tr class='text billing'>\n";
echo " <td>".$colorbeg.xl('Billing Note').$colorend."</td><td>".$colorbeg.$billing_note.$colorend."</td>\n";
echo " <td>".$colorbeg.
htmlspecialchars(xl('Billing Note'),ENT_NOQUOTES).$colorend."</td><td>".$colorbeg.
htmlspecialchars($billing_note,ENT_NOQUOTES).$colorend."</td>\n";
echo " </tr>\n";
}

Expand All @@ -87,11 +99,12 @@
if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) {
$body = nl2br(oeFormatPatientNote($body));
} else {
$body = oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) .
' (' . $iter['user'] . ') ' . nl2br(oeFormatPatientNote($body));
$body = htmlspecialchars(oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) .
' (' . $iter['user'] . ') ',ENT_NOQUOTES) .
nl2br(htmlspecialchars(oeFormatPatientNote($body),ENT_NOQUOTES));
}

echo " <tr class='text' id='".$iter['id']."' style='border-bottom:1px dashed' >\n";
echo " <tr class='text' id='".htmlspecialchars($iter['id'],ENT_QUOTES)."' style='border-bottom:1px dashed' >\n";

// Modified 6/2009 by BM to incorporate the patient notes into the list_options listings
echo " <td valign='top' class='text'><b>";
Expand All @@ -110,15 +123,20 @@
<?php
if ( $has_note < 1 ) { ?>
<span class='text'>
<?php echo xl( "There are no notes on file for this patient.", "e" );
echo " "; echo xl("To add notes, please click ", "e" ); echo "<a href='pnotes_full.php'>"; echo xl("here", "e"); echo "</a>."; ?>
<?php echo htmlspecialchars(xl( "There are no notes on file for this patient."),ENT_NOQUOTES);
echo " ";
echo htmlspecialchars(xl("To add notes, please click "),ENT_NOQUOTES);
echo "<a href='pnotes_full.php'>";
echo htmlspecialchars(xl("here"),ENT_NOQUOTES);
echo "</a>."; ?>
</span>
<?php } else {
?>
<br/>
<span class='text'>
<?php // todo: fix this when parameterized translations are possible ?>
Displaying the <b><?php echo $N;?></b> most recent notes. Click <a href='pnotes_full.php'>here</a> to view them all.
<?php echo htmlspecialchars(xl('Displaying the following number of most recent notes:'),ENT_NOQUOTES); ?>
<b><?php echo $N;?></b><br>
<a href='pnotes_full.php'><?php echo htmlspecialchars(xl('Click here to view them all.'),ENT_NOQUOTES); ?></a>
</span>
<?php
} ?>
Expand Down
53 changes: 33 additions & 20 deletions interface/patient_file/summary/stats.php
View file
@@ -1,8 +1,18 @@
<?php

//SANITIZE ALL ESCAPES
$sanitize_all_escapes=true;
//

//STOP FAKE REGISTER GLOBALS
$fake_register_globals=false;
//

include_once("../../globals.php");
include_once("$srcdir/lists.inc");
include_once("$srcdir/acl.inc");
include_once("$srcdir/options.inc.php");
include_once("$srcdir/formdata.inc.php");

?>

Expand All @@ -16,7 +26,7 @@
$thisauth = 0;
}
if (!$thisauth) {
echo "<p>(".xl('Issues not authorized').")</p>\n";
echo "<p>(".htmlspecialchars(xl('Issues not authorized'),ENT_NOQUOTES).")</p>\n";
echo "</body>\n</html>\n";
exit();
}
Expand All @@ -41,21 +51,21 @@ function load_location( location ) {
foreach ($ISSUE_TYPES as $key => $arr) {
// $result = getListByType($pid, $key, "id,title,begdate,enddate,returndate,extrainfo", "all", "all", 0);

$query = "SELECT * FROM lists WHERE pid = $pid AND type = '$key' AND ";
$query = "SELECT * FROM lists WHERE pid = ? AND type = ? AND ";
$query .= "enddate IS NULL ";
$query .= "ORDER BY begdate";
$pres = sqlStatement($query);
$pres = sqlStatement($query, array($pid, $key) );

if (mysql_num_rows($pres) > 0 || $ix == 0) {
if (sqlNumRows($pres) > 0 || $ix == 0) {

// output a header for the $ISSUE_TYPE
echo " <tr class='issuetitle'>\n";
echo " <td colspan='$numcols'>\n";

?>
<span class="text"><b><?php echo $arr[0] ?></b></span>
<span class="text"><b><?php echo htmlspecialchars($arr[0],ENT_NOQUOTES); ?></b></span>
<a href="javascript:;" class="small" onclick="load_location('stats_full.php?active=all')">
(<b><?php echo xl('Manage') ?></b>)
(<b><?php echo htmlspecialchars(xl('Manage'),ENT_NOQUOTES); ?></b>)
</a>
<?php

Expand All @@ -73,7 +83,7 @@ function load_location( location ) {

echo " <tr class='text $rowclass;'>\n";

echo " <td colspan='$numcols'>&nbsp;&nbsp;" . $row['title'] . "</td>\n";
echo " <td colspan='$numcols'>&nbsp;&nbsp;" . htmlspecialchars($row['title'],ENT_NOQUOTES) . "</td>\n";

echo " </tr>\n";
}
Expand All @@ -91,13 +101,14 @@ function load_location( location ) {
//
$need_head = true;
foreach (array('treatment_protocols','injury_log') as $formname) {
if (mysql_num_rows(sqlStatement("SHOW TABLES LIKE 'form_$formname'")) > 0) {
if (sqlNumRows(sqlStatement("SHOW TABLES LIKE ?", array("form_".$formname) )) > 0) {
$dres = sqlStatement("SELECT tp.id, tp.value FROM forms, " .
"form_$formname AS tp WHERE forms.pid = $pid AND " .
"forms.formdir = '$formname' AND tp.id = forms.form_id AND " .
"form_" . add_escape_custom($formname) .
" AS tp WHERE forms.pid = ? AND " .
"forms.formdir = ? AND tp.id = forms.form_id AND " .
"tp.rownbr = -1 AND tp.colnbr = -1 AND tp.value LIKE '0%' " .
"ORDER BY tp.value DESC");
if (mysql_num_rows($dres) > 0 && $need_head) {
"ORDER BY tp.value DESC", array($pid, $formname) );
if (sqlNumRows($dres) > 0 && $need_head) {
$need_head = false;
echo " <tr>\n";
echo " <td colspan='$numcols' valign='top'>\n";
Expand All @@ -111,7 +122,9 @@ function load_location( location ) {
echo " <td colspan='$numcols'>&nbsp;&nbsp;";
echo "<a class='link' href='javascript:;' ";
echo "onclick='load_location(\"../../forms/$formname/new.php?popup=1&id=";
echo $row['id'] . "\")'>$start_date $template_name</a></td>\n";
echo htmlspecialchars($row['id'],ENT_QUOTES) . "\")'>" .
htmlspecialchars($start_date,ENT_NOQUOTES) . " " .
htmlspecialchars($template_name,ENT_NOQUOTES) . "</a></td>\n";
echo " </tr>\n";
}
}
Expand All @@ -124,9 +137,9 @@ function load_location( location ) {
<table id="patient_stats_imm">
<tr>
<td colspan='<?php echo $numcols ?>' valign='top'>
<span class="text"><b><?php echo xl('Immunizations', 'e') ?></b></span>
<span class="text"><b><?php echo htmlspecialchars(xl('Immunizations', 'e'),ENT_NOQUOTES); ?></b></span>
<a href="javascript:;" class="small" onclick="javascript:load_location('immunizations.php')">
(<b><?php echo xl('Manage') ?></b>)
(<b><?php echo htmlspecialchars(xl('Manage'),ENT_NOQUOTES) ?></b>)
</a>
</td></tr>
<tr><td>
Expand All @@ -135,16 +148,16 @@ function load_location( location ) {
$sql = "select i1.id as id, i1.immunization_id as immunization_id,".
" if (i1.administered_date, concat(i1.administered_date,' - '), substring(i1.note,1,20)) as immunization_data ".
" from immunizations i1 ".
" where i1.patient_id = $pid ".
" where i1.patient_id = ? ".
" order by i1.immunization_id, i1.administered_date desc";

$result = sqlStatement($sql);
$result = sqlStatement($sql, array($pid) );

while ($row=sqlFetchArray($result)){
echo "&nbsp;&nbsp;";
echo "<a class='link'";
echo "' href='javascript:;' onclick='javascript:load_location(\"immunizations.php?mode=edit&id=".$row['id'] . "\")'>" .
$row{'immunization_data'} .
echo "' href='javascript:;' onclick='javascript:load_location(\"immunizations.php?mode=edit&id=".htmlspecialchars($row['id'],ENT_QUOTES) . "\")'>" .
htmlspecialchars($row{'immunization_data'},ENT_NOQUOTES) .
generate_display_field(array('data_type'=>'1','list_id'=>'immunizations'), $row['immunization_id']) .
"</a><br>\n";
}
Expand All @@ -159,7 +172,7 @@ function load_location( location ) {
<div>
<table id="patient_stats_prescriptions">
<tr><td colspan='<?php echo $numcols ?>' class='issuetitle'>
<span class='text'><b><?php echo xl('Prescriptions'); ?></b></span>
<span class='text'><b><?php echo htmlspecialchars(xl('Prescriptions'),ENT_NOQUOTES); ?></b></span>
</td></tr>
</tr><td>
<?php
Expand Down

0 comments on commit c0bfa8a

Please sign in to comment.