Additional Sql-injection functions and techniques for escaping;

 1. Improved/clarified the functions in library/formdata.inc.php
 2. Added mechanism for whitelisting openemr sql table names.
 3. Added mechanism for whitelisting openemr sql column names.
 4. Incorporated it into the messages module
 5. Incorporated into dictation form
 6. Incorporated into work/school form/note

interface/forms/dictation/new.php

@@ -1,5 +1,9 @@
 <!-- Form generated from formsWiz -->
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 formHeader("Form: dictation");
@@ -11,14 +15,14 @@
 </head>
 <body class="body_top">
 <form method=post action="<?php echo $rootdir;?>/forms/dictation/save.php?mode=new" name="my_form">
-<span class="title"><?php xl('Speech Dictation','e'); ?></span><br><br>
-<span class=text><?php xl('Dictation: ','e'); ?></span><br><textarea cols=80 rows=24 wrap=virtual name="dictation" ></textarea><br>
-<span class=text><?php xl('Additional Notes:','e'); ?> </span><br><textarea cols=80 rows=8 wrap=virtual name="additional_notes" ></textarea><br>
+<span class="title"><?php echo xlt('Speech Dictation'); ?></span><br><br>
+<span class=text><?php echo xlt('Dictation: '); ?></span><br><textarea cols=80 rows=24 wrap=virtual name="dictation" ></textarea><br>
+<span class=text><?php echo xlt('Additional Notes:'); ?> </span><br><textarea cols=80 rows=8 wrap=virtual name="additional_notes" ></textarea><br>
 <br>
-<a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit">[<?php xl('Save','e'); ?>]</a>
+<a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit">[<?php echo xlt('Save'); ?>]</a>
 <br>
 <a href="<?php echo "$rootdir/patient_file/encounter/$returnurl";?>" class="link"
- onclick="top.restoreSession()">[<?php xl('Don\'t Save','e'); ?>]</a>
+ onclick="top.restoreSession()">[<?php echo xlt('Don\'t Save'); ?>]</a>
 </form>
 <?php
 formFooter();

interface/forms/dictation/report.php

@@ -18,8 +18,8 @@ function dictation_report( $pid, $encounter, $cols, $id) {
         $value = "yes";
       }
       $key=ucwords(str_replace("_"," ",$key));
-      print "<td><span class=bold>" . xl($key) . ": </span><span class=text>" .
-        nl2br($value) . "</span></td>";
+      print "<td><span class=bold>" . xlt($key) . ": </span><span class=text>" .
+        nl2br(text($value)) . "</span></td>";
       $count++;
       if ($count == $cols) {
         $count = 0;

interface/forms/dictation/save.php

@@ -1,19 +1,19 @@
 <?php
 //------------Forms generated from formsWiz
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 include_once("$srcdir/forms.inc");
-foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
-echo "$var\n";
-}
 if ($encounter == "")
 $encounter = date("Ymd");
 if ($_GET["mode"] == "new"){
 $newid = formSubmit("form_dictation", $_POST, $_GET["id"], $userauthorized);
 addForm($encounter, "Speech Dictation", $newid, "dictation", $pid, $userauthorized);
 }elseif ($_GET["mode"] == "update") {
-sqlInsert("update form_dictation set pid = {$_SESSION["pid"]},groupname='".$_SESSION["authProvider"]."',user='".$_SESSION["authUser"]."',authorized=$userauthorized,activity=1, date = NOW(), dictation='".$_POST["dictation"]."', additional_notes='".$_POST["additional_notes"]."' where id=$id");
+sqlInsert("update form_dictation set pid = ?,groupname=?,user=?,authorized=?,activity=1, date = NOW(), dictation=?, additional_notes=? where id=?",array($_SESSION["pid"],$_SESSION["authProvider"],$_SESSION["authUser"],$userauthorized,$_POST["dictation"],$_POST["additional_notes"],$_GET["id"]));
 }
 $_SESSION["encounter"] = $encounter;
 formHeader("Redirecting....");

interface/forms/dictation/view.php

@@ -1,5 +1,9 @@
 <!-- Forms generated from formsWiz -->
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 $returnurl = $GLOBALS['concurrent_layout'] ? 'encounter_top.php' : 'patient_encounter.php';
 ?>
@@ -12,15 +16,15 @@
 include_once("$srcdir/api.inc");
 $obj = formFetch("form_dictation", $_GET["id"]);
 ?>
-<form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo $_GET["id"];?>" name="my_form">
-<span class="title"><?php xl('Speech Dictation','e'); ?></span><Br><br>
-<span class=text><?php xl('Dictation: ','e'); ?></span><br><textarea cols=80 rows=24 wrap=virtual name="dictation" ><?php echo stripslashes($obj{"dictation"});?></textarea><br>
-<span class=text><?php xl('Additional Notes: ','e'); ?></span><br><textarea cols=80 rows=8 wrap=virtual name="additional_notes" ><?php echo stripslashes($obj{"additional_notes"});?></textarea><br>
+<form method=post action="<?php echo $rootdir?>/forms/dictation/save.php?mode=update&id=<?php echo attr($_GET["id"]);?>" name="my_form">
+<span class="title"><?php echo xlt('Speech Dictation'); ?></span><Br><br>
+<span class=text><?php echo xlt('Dictation: '); ?></span><br><textarea cols=80 rows=24 wrap=virtual name="dictation" ><?php echo text($obj{"dictation"});?></textarea><br>
+<span class=text><?php echo xlt('Additional Notes: '); ?></span><br><textarea cols=80 rows=8 wrap=virtual name="additional_notes" ><?php echo text($obj{"additional_notes"});?></textarea><br>
 <br>
-<a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit">[<?php xl('Save','e'); ?>]</a>
+<a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit">[<?php echo xlt('Save'); ?>]</a>
 <br>
 <a href="<?php echo "$rootdir/patient_file/encounter/$returnurl";?>" class="link"
- onclick="top.restoreSession()">[<?php xl('Don\'t Save Changes','e'); ?>]</a>
+ onclick="top.restoreSession()">[<?php echo xlt('Don\'t Save Changes'); ?>]</a>
 </form>
 <?php
 formFooter();

interface/forms/note/new.php

@@ -16,11 +16,15 @@
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. -->
 
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 formHeader("Form: note");
 $returnurl = $GLOBALS['concurrent_layout'] ? 'encounter_top.php' : 'patient_encounter.php';
-$provider_results = sqlQuery("select fname, lname from users where username='" . $_SESSION{"authUser"} . "'");
+$provider_results = sqlQuery("select fname, lname from users where username=?",array($_SESSION{"authUser"}));
 /* name of this form */
 $form_name = "note"; 
 ?>
@@ -51,19 +55,19 @@
 <?php echo date("F d, Y", time()); ?>
 
 <form method=post action="<?php echo $rootdir."/forms/".$form_name."/save.php?mode=new";?>" name="my_form" id="my_form">
-<span class="title"><?php xl('Work/School Note','e'); ?></span><br></br>
+<span class="title"><?php echo xlt('Work/School Note'); ?></span><br></br>
 
 <div style="margin: 10px;">
-<input type="button" class="save" value="    <?php xl('Save','e'); ?>    "> &nbsp; 
-<input type="button" class="dontsave" value="<?php xl('Don\'t Save','e'); ?>"> &nbsp; 
+<input type="button" class="save" value="    <?php echo xla('Save'); ?>    "> &nbsp; 
+<input type="button" class="dontsave" value="<?php echo xla('Don\'t Save'); ?>"> &nbsp; 
 </div>
 
 <select name="note_type">
-<option value="WORK NOTE"><?php xl('WORK NOTE','e'); ?></option>
-<option value="SCHOOL NOTE"><?php xl('SCHOOL NOTE','e'); ?></option>
+<option value="WORK NOTE"><?php echo xlt('WORK NOTE'); ?></option>
+<option value="SCHOOL NOTE"><?php echo xlt('SCHOOL NOTE'); ?></option>
 </select>
 <br>
-<b><?php xl('MESSAGE:','e'); ?></b>
+<b><?php echo xlt('MESSAGE:'); ?></b>
 <br>
 <textarea name="message" id="message" rows="7" cols="47"></textarea>
 <br>
@@ -77,31 +81,31 @@
 -->
 
 <br>
-<b><?php xl('Signature:','e'); ?></b>
+<b><?php echo xlt('Signature:'); ?></b>
 <br>
 
 <table>
 <tr><td>
-<?php xl('Doctor:','e'); ?>
-<input type="text" name="doctor" id="doctor" value="<?php echo $provider_results["fname"].' '.$provider_results["lname"]; ?>">
+<?php echo xlt('Doctor:'); ?>
+<input type="text" name="doctor" id="doctor" value="<?php echo attr($provider_results["fname"]).' '.attr($provider_results["lname"]); ?>">
 </td>
 
 <td>
-<span class="text"><?php xl('Date','e'); ?></span>
+<span class="text"><?php echo xlt('Date'); ?></span>
    <input type='text' size='10' name='date_of_signature' id='date_of_signature'
     value='<?php echo date('Y-m-d', time()); ?>'
-    title='<?php xl('yyyy-mm-dd','e'); ?>'
+    title='<?php echo xla('yyyy-mm-dd'); ?>'
     onkeyup='datekeyup(this,mypcc)' onblur='dateblur(this,mypcc)' />
    <img src='../../pic/show_calendar.gif' align='absbottom' width='24' height='22'
     id='img_date_of_signature' border='0' alt='[?]' style='cursor:pointer;cursor:hand'
-    title='<?php xl('Click here to choose a date','e'); ?>'>
+    title='<?php echo xla('Click here to choose a date'); ?>'>
 </td>
 </tr>
 </table>
 
 <div style="margin: 10px;">
-<input type="button" class="save" value="    <?php xl('Save','e'); ?>    "> &nbsp; 
-<input type="button" class="dontsave" value="<?php xl('Don\'t Save','e'); ?>"> &nbsp; 
+<input type="button" class="save" value="    <?php echo xla('Save'); ?>    "> &nbsp; 
+<input type="button" class="dontsave" value="<?php echo xla('Don\'t Save'); ?>"> &nbsp; 
 </div>
 
 </form>

interface/forms/note/print.php

@@ -1,9 +1,13 @@
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 formHeader("Form: note");
 $returnurl = $GLOBALS['concurrent_layout'] ? 'encounter_top.php' : 'patient_encounter.php';
-$provider_results = sqlQuery("select fname, lname from users where username='" . $_SESSION{"authUser"} . "'");
+$provider_results = sqlQuery("select fname, lname from users where username=?",array($_SESSION{"authUser"}));
 
 /* name of this form */
 $form_name = "note"; 
@@ -27,26 +31,26 @@
 <body class="body_top">
 
 <form method=post action="">
-<span class="title"><?php xl('Work/School Note','e'); ?></span><br></br>
-<?php xl('Printed','e'); ?> <?php echo dateformat(); ?>
+<span class="title"><?php echo xlt('Work/School Note'); ?></span><br></br>
+<?php echo xlt('Printed'); ?> <?php echo dateformat(); ?>
 <br><br>
 <select name="note_type">
-<option value="WORK NOTE" <?php if ($obj['note_type']=="WORK NOTE") echo " SELECTED"; ?>><?php xl('WORK NOTE','e'); ?></option>
-<option value="SCHOOL NOTE" <?php if ($obj['note_type']=="SCHOOL NOTE") echo " SELECTED"; ?>><?php xl('SCHOOL NOTE','e'); ?></option>
+<option value="WORK NOTE" <?php if ($obj['note_type']=="WORK NOTE") echo " SELECTED"; ?>><?php echo xlt('WORK NOTE'); ?></option>
+<option value="SCHOOL NOTE" <?php if ($obj['note_type']=="SCHOOL NOTE") echo " SELECTED"; ?>><?php echo xlt('SCHOOL NOTE'); ?></option>
 </select>
 <br>
-<b><?php xl('MESSAGE:','e'); ?></b>
+<b><?php echo xlt('MESSAGE:'); ?></b>
 <br>
-<div style="border: 1px solid black; padding: 5px; margin: 5px;"><?php echo stripslashes($obj["message"]);?></div>
+<div style="border: 1px solid black; padding: 5px; margin: 5px;"><?php echo text($obj["message"]);?></div>
 <br></br>
 
 <table>
 <tr><td>
-<span class=text><?php xl('Doctor:','e'); ?> </span><input type=text name="doctor" value="<?php echo stripslashes($obj["doctor"]);?>">
+<span class=text><?php echo xlt('Doctor:'); ?> </span><input type=text name="doctor" value="<?php echo attr($obj["doctor"]);?>">
 </td><td>
-<span class="text"><?php xl('Date','e'); ?></span>
+<span class="text"><?php echo xlt('Date'); ?></span>
    <input type='text' size='10' name='date_of_signature' id='date_of_signature'
-    value='<?php echo $obj['date_of_signature']; ?>'
+    value='<?php echo attr($obj['date_of_signature']); ?>'
     />
 </td></tr>
 </table>

interface/forms/note/report.php

@@ -43,10 +43,10 @@ function note_report( $pid, $encounter, $cols, $id) {
             print("<tr>\n");  
             print("<tr>\n");
 	    if ($key == "Note Type") {
-                print "<td><span class=bold>" . xl($key) . ": </span><span class=text>" . xl($value) . "</span></td>";
+                print "<td><span class=bold>" . xlt($key) . ": </span><span class=text>" . xlt($value) . "</span></td>";
 	    }
 	    else {
-	        print "<td><span class=bold>" . xl($key) . ": </span><span class=text>$value</span></td>";	
+	        print "<td><span class=bold>" . xlt($key) . ": </span><span class=text>" . text($value) . "</span></td>";	
 	    }
             $count++;
             if ($count == $cols) {

interface/forms/note/save.php

@@ -16,6 +16,10 @@
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. -->
 
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 include_once("$srcdir/forms.inc");

interface/forms/note/view.php

@@ -16,11 +16,15 @@
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. -->
 
 <?php
+
+$fake_register_globals=false;
+$sanitize_all_escapes=true;
+
 include_once("../../globals.php");
 include_once("$srcdir/api.inc");
 formHeader("Form: note");
 $returnurl = $GLOBALS['concurrent_layout'] ? 'encounter_top.php' : 'patient_encounter.php';
-$provider_results = sqlQuery("select fname, lname from users where username='" . $_SESSION{"authUser"} . "'");
+$provider_results = sqlQuery("select fname, lname from users where username=?",array($_SESSION{"authUser"}));
 
 /* name of this form */
 $form_name = "note"; 
@@ -52,52 +56,52 @@
 var mypcc = '<?php echo $GLOBALS['phone_country_code'] ?>';
 
 function PrintForm() {
-    newwin = window.open("<?php echo $rootdir."/forms/".$form_name."/print.php?id=".$_GET["id"]; ?>","mywin");
+    newwin = window.open("<?php echo $rootdir."/forms/".$form_name."/print.php?id=".attr($_GET["id"]); ?>","mywin");
 }
 
 </script>
 
 </head>
 <body class="body_top">
 
-<form method=post action="<?php echo $rootdir."/forms/".$form_name."/save.php?mode=update&id=".$_GET["id"];?>" name="my_form" id="my_form">
-<span class="title"><?php xl('Work/School Note','e'); ?></span><br></br>
+<form method=post action="<?php echo $rootdir."/forms/".$form_name."/save.php?mode=update&id=".attr($_GET["id"]);?>" name="my_form" id="my_form">
+<span class="title"><?php echo xlt('Work/School Note'); ?></span><br></br>
 
 <div style="margin: 10px;">
-<input type="button" class="save" value="    <?php xl('Save','e'); ?>    "> &nbsp; 
-<input type="button" class="dontsave" value="<?php xl('Don\'t Save','e'); ?>"> &nbsp; 
-<input type="button" class="printform" value="<?php xl('Print','e'); ?>"> &nbsp; 
+<input type="button" class="save" value="    <?php echo xla('Save'); ?>    "> &nbsp; 
+<input type="button" class="dontsave" value="<?php echo xla('Don\'t Save'); ?>"> &nbsp; 
+<input type="button" class="printform" value="<?php echo xla('Print'); ?>"> &nbsp; 
 </div>
 
 <select name="note_type">
-<option value="WORK NOTE" <?php if ($obj['note_type']=="WORK NOTE") echo " SELECTED"; ?>><?php xl('WORK NOTE','e'); ?></option>
-<option value="SCHOOL NOTE" <?php if ($obj['note_type']=="SCHOOL NOTE") echo " SELECTED"; ?>><?php xl('SCHOOL NOTE','e'); ?></option>
+<option value="WORK NOTE" <?php if ($obj['note_type']=="WORK NOTE") echo " SELECTED"; ?>><?php echo xlt('WORK NOTE'); ?></option>
+<option value="SCHOOL NOTE" <?php if ($obj['note_type']=="SCHOOL NOTE") echo " SELECTED"; ?>><?php echo xlt('SCHOOL NOTE'); ?></option>
 </select>
 <br>
-<b><?php xl('MESSAGE:','e'); ?></b>
+<b><?php echo xlt('MESSAGE:'); ?></b>
 <br>
-<textarea name="message" id="message" cols ="67" rows="4"><?php echo stripslashes($obj["message"]);?></textarea>
+<textarea name="message" id="message" cols ="67" rows="4"><?php echo text($obj["message"]);?></textarea>
 <br> <br>
 
 <table>
 <tr><td>
-<span class=text><?php xl('Doctor:','e'); ?> </span><input type=entry name="doctor" value="<?php echo stripslashes($obj["doctor"]);?>">
+<span class=text><?php echo xlt('Doctor:'); ?> </span><input type=entry name="doctor" value="<?php echo attr($obj["doctor"]);?>">
 </td><td>
-<span class="text"><?php xl('Date','e'); ?></span>
+<span class="text"><?php echo xlt('Date'); ?></span>
    <input type='text' size='10' name='date_of_signature' id='date_of_signature'
-    value='<?php echo $obj['date_of_signature']; ?>'
-    title='<?php xl('yyyy-mm-dd','e'); ?>'
+    value='<?php echo attr($obj['date_of_signature']); ?>'
+    title='<?php echo xla('yyyy-mm-dd'); ?>'
     onkeyup='datekeyup(this,mypcc)' onblur='dateblur(this,mypcc)' />
    <img src='../../pic/show_calendar.gif' align='absbottom' width='24' height='22'
     id='img_date_of_signature' border='0' alt='[?]' style='cursor:pointer;cursor:hand'
-    title='<?php xl('Click here to choose a date','e'); ?>'>
+    title='<?php echo xla('Click here to choose a date'); ?>'>
 </td></tr>
 </table>
 
 <div style="margin: 10px;">
-<input type="button" class="save" value="    <?php xl('Save','e'); ?>    "> &nbsp; 
-<input type="button" class="dontsave" value="<?php xl('Don\'t Save','e'); ?>"> &nbsp; 
-<input type="button" class="printform" value="<?php xl('Print','e'); ?>"> &nbsp; 
+<input type="button" class="save" value="    <?php echo xla('Save'); ?>    "> &nbsp; 
+<input type="button" class="dontsave" value="<?php echo xla('Don\'t Save'); ?>"> &nbsp; 
+<input type="button" class="printform" value="<?php echo xla('Print'); ?>"> &nbsp; 
 </div>
 
 </form>