Skip to content

Commit

Permalink
Clean up and secure authorizations module and related scripts-functio…
Browse files Browse the repository at this point in the history 
…ns (remove fake globals, run global undomagicquotes, integrate binding into sql queries to prevent sql-injection and integrate htmlspecialchars to prevent xss attacks)
  • Loading branch information
bradymiller committed Jun 24, 2010
1 parent c0bfa8a commit e08e332
Show file tree
Hide file tree
Showing 3 changed files with 93 additions and 79 deletions.
93 changes: 46 additions & 47 deletions interface/main/authorizations/authorizations.php
View file
@@ -1,4 +1,13 @@
<?php

//SANITIZE ALL ESCAPES
$sanitize_all_escapes=true;
//

//STOP FAKE REGISTER GLOBALS
$fake_register_globals=false;
//

include_once("../../globals.php");
include_once("$srcdir/log.inc");
include_once("$srcdir/billing.inc");
Expand All @@ -14,8 +23,7 @@
// increase to a high number to make the mini frame more useful.
$N = 50;

$atemp = sqlQuery("SELECT see_auth FROM users WHERE username = '" .
$_SESSION['authUser'] . "'");
$atemp = sqlQuery("SELECT see_auth FROM users WHERE username = ?", array($_SESSION['authUser']) );
$see_auth = $atemp['see_auth'];

$imauthorized = $_SESSION['userauthorized'] || $see_auth > 2;
Expand All @@ -24,13 +32,10 @@
if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) {
$retVal = getProviderId($_SESSION['authUser']);
newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, $_GET["pid"]);
// sqlStatement("update billing set authorized=1, provider_id = '" .
// mysql_real_escape_string($retVal[0]['id']) .
// "' where pid='" . $_GET["pid"] . "'");
sqlStatement("update billing set authorized=1 where pid='" . $_GET["pid"] . "'");
sqlStatement("update forms set authorized=1 where pid='" . $_GET["pid"] . "'");
sqlStatement("update pnotes set authorized=1 where pid='" . $_GET["pid"] . "'");
sqlStatement("update transactions set authorized=1 where pid='" . $_GET["pid"] . "'");
sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update pnotes set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update transactions set authorized=1 where pid=?", array($_GET["pid"]) );
}
?>
<html>
Expand Down Expand Up @@ -73,15 +78,15 @@
<?php } else { ?>
<a href='authorizations_full.php' target='Main'>
<?php } ?>
<?php xl('Authorizations','e')?> <span class='more'><?php echo $tmore;?></span></a>
<?php echo htmlspecialchars(xl('Authorizations'),ENT_NOQUOTES); ?> <span class='more'><?php echo htmlspecialchars($tmore,ENT_NOQUOTES); ?></span></a>
<?php
}
?>
</span>

<?php if (!$GLOBALS['concurrent_layout']) { ?>
<span class='more'> &nbsp;
<a href="#" id="findpatients" name='Find Patients'>(<?php xl('Find Patient','e')?>)</a>
<a href="#" id="findpatients" name='Find Patients'>(<?php echo htmlspecialchars(xl('Find Patient'),ENT_NOQUOTES); ?>)</a>
</span>
<?php } ?>

Expand All @@ -98,70 +103,65 @@
if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user " .
"from billing LEFT JOIN users as u on billing.user = u.id where " .
"billing.authorized = 0 and billing.activity = 1 and " .
"groupname = '$groupname'"))
"groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result1[$iter] = $row;
if ($result1) {
foreach ($result1 as $iter) {
$authorize{$iter{"pid"}}{"billing"} .= "<span class=text>" .
$iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";
}
//$authorize[$iter{"pid"}]{"billing"} = substr($authorize[$iter{"pid"}]{"billing"},0,strlen($authorize[$iter{"pid"}]{"billing"}));
}
}

//fetch transaction information:
if ($res = sqlStatement("select * from transactions where " .
"authorized = 0 and groupname = '$groupname'"))
"authorized = 0 and groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result2[$iter] = $row;
if ($result2) {
foreach ($result2 as $iter) {
$authorize{$iter{"pid"}}{"transaction"} .= "<span class=text>" .
$iter{"title"} . ": " . stripslashes(strterm($iter{"body"},25)) .
" " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
htmlspecialchars($iter{"title"} . ": " . (strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";
}
//$authorize[$iter{"pid"}]{"transaction"} = substr($authorize[$iter{"pid"}]{"transaction"},0,strlen($authorize[$iter{"pid"}]{"transaction"}));
}
}

if (empty($GLOBALS['ignore_pnotes_authorization'])) {
//fetch pnotes information:
if ($res = sqlStatement("select * from pnotes where authorized = 0 and " .
"groupname = '$groupname'"))
"groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result3[$iter] = $row;
if ($result3) {
foreach ($result3 as $iter) {
$authorize{$iter{"pid"}}{"pnotes"} .= "<span class=text>" .
stripslashes(strterm($iter{"body"},25)) . " " .
date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
htmlspecialchars((strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";
}
// $authorize[$iter{"pid"}]{"pnotes"} = substr($authorize[$iter{"pid"}]{"pnotes"},0,strlen($authorize[$iter{"pid"}]{"pnotes"}));
}
}
}

//fetch forms information:
if ($res = sqlStatement("select * from forms where authorized = 0 and " .
"groupname = '$groupname'"))
"groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result4[$iter] = $row;
if ($result4) {
foreach ($result4 as $iter) {
$authorize{$iter{"pid"}}{"forms"} .= "<span class=text>" .
$iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";
}
// $authorize[$iter{"pid"}]{"forms"} = substr($authorize[$iter{"pid"}]{"forms"},0,strlen($authorize[$iter{"pid"}]{"forms"}));
}
}
// echo "HERE"; // what the heck was this for?
?>

<table border='0' cellpadding='0' cellspacing='2' width='100%'>
Expand All @@ -183,7 +183,7 @@
print "<tr><td colspan='5' align='center'><a" .
($GLOBALS['concurrent_layout'] ? "" : " target='Main'") .
" href='authorizations_full.php?active=1' class='alert'>" .
xl('Some authorizations were not displayed. Click here to view all') .
htmlspecialchars(xl('Some authorizations were not displayed. Click here to view all'),ENT_NOQUOTES) .
"</a></td></tr>\n";
break;
}
Expand All @@ -193,42 +193,41 @@
// Clicking the patient name will load both frames for that patient,
// as demographics.php takes care of loading the bottom frame.

echo "<a href='$rootdir/patient_file/summary/demographics.php?set_pid=$ppid' " .
"target='RTop'>";
echo "<a href='$rootdir/patient_file/summary/demographics.php?set_pid=" .
htmlspecialchars($ppid,ENT_QUOTES) . "' target='RTop'>";

} else {
echo "<a href='$rootdir/patient_file/patient_file.php?set_pid=$ppid' " .
"target='_top'>";
echo "<a href='$rootdir/patient_file/patient_file.php?set_pid=" .
htmlspecialchars($ppid,ENT_QUOTES) . "' target='_top'>";
}
echo "<span class='bold'>" . $name{"fname"} . " " .
$name{"lname"} . "</span></a><br>" .
echo "<span class='bold'>" . htmlspecialchars($name{"fname"},ENT_NOQUOTES) . " " .
htmlspecialchars($name{"lname"},ENT_NOQUOTES) . "</span></a><br>" .
"<a class=link_submit href='authorizations.php?mode=authorize" .
"&pid=$ppid'>" . xl('Authorize') . "</a></td>\n";
"&pid=" . htmlspecialchars($ppid,ENT_QUOTES) . "'>" .
htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . "</a></td>\n";

/****
//Michael A Rowley MD 20041012.
// added below 4 lines to add provider to authorizations for ez reference.
$providerID = sqlFetchArray(sqlStatement(
"select providerID from patient_data where pid=$ppid"));
"select providerID from patient_data where pid=?", array($ppid) ));
$userID=$providerID{"providerID"};
$providerName = sqlFetchArray(sqlStatement(
"select lname from users where id=$userID"));
"select lname from users where id=?", array($userID) ));
****/
// Don't use sqlQuery because there might be no match.
$providerName = sqlFetchArray(sqlStatement(
"select lname from users where id = '" . $name['providerID'] . "'"));
/****/

echo "<td valign=top><span class=bold>".xl('Provider').":</span><span class=text><br>" .
$providerName{"lname"} . "</td>\n";
// ha ha, see if that works....mar.
echo "<td valign=top><span class=bold>".xl('Billing').":</span><span class=text><br>" .
"select lname from users where id = ?", array($name['providerID']) ));

echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Provider'),ENT_NOQUOTES).":</span><span class=text><br>" .
htmlspecialchars($providerName{"lname"},ENT_NOQUOTES) . "</td>\n";
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).":</span><span class=text><br>" .
$patient{"billing"} . "</td>\n";
echo "<td valign=top><span class=bold>".xl('Transactions').":</span><span class=text><br>" .
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).":</span><span class=text><br>" .
$patient{"transaction"} . "</td>\n";
echo "<td valign=top><span class=bold>".xl('Patient Notes').":</span><span class=text><br>" .
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).":</span><span class=text><br>" .
$patient{"pnotes"} . "</td>\n";
echo "<td valign=top><span class=bold>".xl('Encounter Forms').":</span><span class=text><br>" .
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).":</span><span class=text><br>" .
$patient{"forms"} . "</td>\n";
echo "</tr>\n";

Expand Down Expand Up @@ -288,7 +287,7 @@
<?php endif; ?>
<?php else: ?>
// no-op
alert("<?php xl('You do not have access to view/edit this note','e'); ?>");
alert("<?php echo htmlspecialchars(xl('You do not have access to view/edit this note'),ENT_QUOTES); ?>");
<?php endif; ?>
}

Expand Down
75 changes: 45 additions & 30 deletions interface/main/authorizations/authorizations_full.php
View file
@@ -1,13 +1,22 @@
<?php

//SANITIZE ALL ESCAPES
$sanitize_all_escapes=true;
//

//STOP FAKE REGISTER GLOBALS
$fake_register_globals=false;
//

include_once("../../globals.php");
include_once("$srcdir/patient.inc");

if (isset($_GET["mode"]) && $_GET["mode"] == "authorize") {
newEvent("authorize",$_SESSION["authUser"],$_SESSION["authProvider"],1,$_GET["pid"]);
sqlStatement("update billing set authorized=1 where pid='".$_GET["pid"]."'");
sqlStatement("update forms set authorized=1 where pid='".$_GET["pid"]."'");
sqlStatement("update pnotes set authorized=1 where pid='".$_GET["pid"]."'");
sqlStatement("update transactions set authorized=1 where pid='".$_GET["pid"]."'");
sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update pnotes set authorized=1 where pid=?", array($_GET["pid"]) );
sqlStatement("update transactions set authorized=1 where pid=?", array($_GET["pid"]) );

}
?>
Expand All @@ -23,8 +32,8 @@
<?php } else { ?>
<a href="../main.php" target=Main>
<?php } ?>
<font class=title><?php xl('Authorizations','e'); ?></font>
<font class=more><?php echo $tback;?></font></a>
<font class=title><?php echo htmlspecialchars(xl('Authorizations'),ENT_NOQUOTES); ?></font>
<font class=more><?php echo htmlspecialchars($tback,ENT_NOQUOTES); ?></font></a>

<?php
// billing
Expand All @@ -33,68 +42,71 @@
// transactions

//fetch billing information:
if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user from billing LEFT JOIN users as u on billing.user = u.id where billing.authorized=0 and groupname='$groupname'")) {
if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user from billing LEFT JOIN users as u on billing.user = u.id where billing.authorized=0 and groupname=?", array ($groupname) )) {
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result[$iter] = $row;

if ($result) {
foreach ($result as $iter) {

$authorize{$iter{"pid"}}{"billing"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
$authorize{$iter{"pid"}}{"billing"} .= "<span class=small>" .
htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";

}

//$authorize[$iter{"pid"}]{"billing"} = substr($authorize[$iter{"pid"}]{"billing"},0,strlen($authorize[$iter{"pid"}]{"billing"}));

}
}

//fetch transaction information:
if ($res = sqlStatement("select * from transactions where authorized=0 and groupname='$groupname'")) {
if ($res = sqlStatement("select * from transactions where authorized=0 and groupname=?", array($groupname) )) {
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result2[$iter] = $row;

if ($result2) {
foreach ($result2 as $iter) {

$authorize{$iter{"pid"}}{"transaction"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"title"} . ": " . strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
$authorize{$iter{"pid"}}{"transaction"} .= "<span class=small>" .
htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
htmlspecialchars($iter{"title"} . ": " . strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";

}

//$authorize[$iter{"pid"}]{"transaction"} = substr($authorize[$iter{"pid"}]{"transaction"},0,strlen($authorize[$iter{"pid"}]{"transaction"}));

}
}

if (empty($GLOBALS['ignore_pnotes_authorization'])) {
//fetch pnotes information, exclude ALL deleted notes
if ($res = sqlStatement("select * from pnotes where authorized=0 and deleted!=1 and groupname='$groupname'")) {
if ($res = sqlStatement("select * from pnotes where authorized=0 and deleted!=1 and groupname=?", array($groupname) )) {
for ($iter = 0;$row = sqlFetchArray($res);$iter++) $result3[$iter] = $row;
if ($result3) {
foreach ($result3 as $iter) {
$authorize{$iter{"pid"}}{"pnotes"} .= "<span class=small>" .
$iter{"user"} . ": </span><span class=text>" .
strterm($iter{"body"},25) . " " .
date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
htmlspecialchars(strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";
}
}
}
}

//fetch forms information:
if ($res = sqlStatement("select * from forms where authorized=0 and groupname='$groupname'")) {
if ($res = sqlStatement("select * from forms where authorized=0 and groupname=?", array($groupname) )) {
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result4[$iter] = $row;

if ($result4) {
foreach ($result4 as $iter) {

$authorize{$iter{"pid"}}{"forms"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
$authorize{$iter{"pid"}}{"forms"} .= "<span class=small>" .
htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"</span><br>\n";

}

//$authorize[$iter{"pid"}]{"forms"} = substr($authorize[$iter{"pid"}]{"forms"},0,strlen($authorize[$iter{"pid"}]{"forms"}));

}
}
?>
Expand All @@ -110,14 +122,17 @@

$name = getPatientData($ppid);

echo "<tr><td valign=top><span class=bold>". $name{"fname"} . " " . $name{"lname"} ."</span><br><a class=link_submit href='authorizations_full.php?mode=authorize&pid=$ppid'>".xl('Authorize')."</a></td>\n";
echo "<td valign=top><span class=bold>".xl('Billing').":</span><span class=text><br>" . $patient{"billing"} . "</td>\n";

echo "<td valign=top><span class=bold>".xl('Transactions').":</span><span class=text><br>" . $patient{"transaction"} . "</td>\n";

echo "<td valign=top><span class=bold>".xl('Patient Notes').":</span><span class=text><br>" . $patient{"pnotes"} . "</td>\n";

echo "<td valign=top><span class=bold>".xl('Encounter Forms').":</span><span class=text><br>" . $patient{"forms"} . "</td>\n";
echo "<tr><td valign=top><span class=bold>". htmlspecialchars($name{"fname"} . " " . $name{"lname"},ENT_NOQUOTES) .
"</span><br><a class=link_submit href='authorizations_full.php?mode=authorize&pid=" .
htmlspecialchars($ppid,ENT_QUOTES) . "'>" . htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . "</a></td>\n";
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).
":</span><span class=text><br>" . $patient{"billing"} . "</td>\n";
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).
":</span><span class=text><br>" . $patient{"transaction"} . "</td>\n";
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).
":</span><span class=text><br>" . $patient{"pnotes"} . "</td>\n";
echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).
":</span><span class=text><br>" . $patient{"forms"} . "</td>\n";
echo "</tr>\n";
$count++;
}
Expand Down
4 changes: 2 additions & 2 deletions library/patient.inc
View file
Expand Up @@ -266,8 +266,8 @@ function getProviderName($providerID) {
}

function getProviderId($providerName) {
$query = "select id from users where username = '". mysql_real_escape_string($providerName)."'";
$rez = sqlStatement($query);
$query = "select id from users where username = ?";
$rez = sqlStatement($query, array($providerName) );
for($iter=0; $row=sqlFetchArray($rez); $iter++)
$returnval[$iter]=$row;
return $returnval;
Expand Down

0 comments on commit e08e332

Please sign in to comment.