Clean up and secure the transaction module and related functions-scri…

…pts (remove fake globals, run global undomagicquotes, integrate binding into sql queries to prevent sql-injection and integrate htmlspecialchars to prevent xss attacks). Also migrated transactions title list into the list_options. Also fixed a referral bug to allow printing of referral forms. Also fixed html code bug in referral form. Also improved history_title.php script.
openemr · Jul 4, 2010 · f56f469 · f56f469
1 parent 97fbe00
commit f56f469
Show file tree

Hide file tree

Showing 13 changed files with 252 additions and 124 deletions.
diff --git a/custom/referral_template.html b/custom/referral_template.html
@@ -87,7 +87,7 @@
      </tr>
      <tr>
       <td nowrap>{label_date}</td>
-      <td nowrap>{ref_refer_date}</td>
+      <td nowrap>{ref_refer_date}&nbsp;</td>
      </tr>
     </table>
    </td>
@@ -175,7 +175,7 @@
      </tr>
      <tr>
       <td nowrap>{label_date}</td>
-      <td nowrap>{ref_refer_date}</td>
+      <td nowrap>{ref_refer_date}&nbsp;</td>
      </tr>
     </table>
    </td>

diff --git a/interface/patient_file/history/history_title.php b/interface/patient_file/history/history_title.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/patient.inc");
 require_once("$srcdir/classes/Pharmacy.class.php");
@@ -15,29 +24,34 @@
 
 <?php
  $result = getPatientData($pid, "fname,lname,pid,pubpid,phone_home,pharmacy_id,DOB,DATE_FORMAT(DOB,'%Y%m%d') as DOB_YMD");
- $provider_results = sqlQuery("select * from users where username='".$_SESSION{"authUser"}."'");
+ $provider_results = sqlQuery("select * from users where username=?", array($_SESSION{"authUser"}) );
  $age = getPatientAge($result["DOB_YMD"]);
 
  $info = 'ID: ' . $result['pubpid'];
- if ($result['DOB']) $info .= ', DOB: ' . $result['DOB'] . ', Age: ' . $age;
- if ($result['phone_home']) $info .= ', Home: ' . $result['phone_home'];
+ if ($result['DOB']) $info .= ', ' . xl('DOB') . ': ' . $result['DOB'] . ', ' . xl('Age') . ': ' . $age;
+ if ($result['phone_home']) $info .= ', ' . xl('Home') . ': ' . $result['phone_home'];
 
  if ($result['pharmacy_id']) {
   $pharmacy = new Pharmacy($result['pharmacy_id']);
-  if ($pharmacy->get_phone()) $info .= ', Pharm: ' . $pharmacy->get_phone();
+  if ($pharmacy->get_phone()) $info .= ', ' . xl('Pharm') . ': ' . $pharmacy->get_phone();
  }
+
+ //escape variables for output (to prevent xss attacks)
+ $patient_esc = htmlspecialchars( $result{"fname"} . " " . $result{"lname"}, ENT_NOQUOTES);
+ $info_esc = htmlspecialchars( $info, ENT_NOQUOTES);
+ $provider_esc = htmlspecialchars( $provider_results{"fname"}.' '.$provider_results{"lname"}, ENT_NOQUOTES);
 ?>
 
 <table border="0" cellpadding="0" cellspacing="0" width="100%" height="100%">
  <tr>
   <td style="width:45%; vertical-align:middle; white-space: nowrap">
-   <span class="title_bar_top"><?php echo $result{"fname"} . " " . $result{"lname"};?></span>
-   <span style="font-size:0.7em;">(<?php echo $info ?>)</span>
+   <span class="title_bar_top"><?php echo $patient_esc; ?></span>
+   <span style="font-size:0.7em;">(<?php echo $info_esc; ?>)</span>
   </td>
-  <td style="width:35%; text-align: center; vertical-align:middle; white-space: nowrap">
-   <span class="title_bar_top"><?php xl('Logged in as','e'); ?>: <?php echo $provider_results{"fname"}.' '.$provider_results{"lname"};?></span>
+  <td style="width:35%; vertical-align:middle; white-space: nowrap; text-align:center">
+   <span class="title_bar_top"><?php htmlspecialchars( xl('Logged in as','e'), ENT_NOQUOTES); ?>: <?php echo $provider_esc; ?></span>
   </td>
-  <td style="width:20%; text-align: right; vertical-align:middle; white-space: nowrap">
+  <td style="width:20%; vertical-align:middle; white-space: nowrap; text-align:right">
    &nbsp;
   </td>
  </tr>

diff --git a/interface/patient_file/transaction/add_transaction.php b/interface/patient_file/transaction/add_transaction.php
@@ -2,6 +2,14 @@
 // add_transaction is a misnomer, as this script will now also edit
 // existing transactions.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/transactions.inc");
 require_once("$srcdir/options.inc.php");
@@ -17,18 +25,15 @@
 $body_onload_code="";
 if ($inmode) {		/*	For edit func */
   $inedit = sqlStatement("SELECT * FROM transactions " .
-    "WHERE id = '".$transid."'");
+    "WHERE id = ?", array($transid) );
   while ($inmoderow = sqlFetchArray($inedit)) {
     $body = $inmoderow['body'];
   }
 }
 if ($mode) {
-  $sets =
-    "title='"          . $_POST['title'] . "'" .
-    ", user = '"       . $_SESSION['authUser'] . "'" .
-    ", groupname = '"  . $_SESSION['authProvider'] . "'" .
-    ", authorized = '" . $userauthorized . "'" .
-    ", date = NOW()";
+  //use sql placemaker
+  $sets = "title=?, user = ?, groupname = ?, authorized = ?, date = NOW()";
+  $sqlBindArray = array($_POST['title'], $_SESSION['authUser'], $_SESSION['authProvider'], $userauthorized);
 
   $fres = sqlStatement("SELECT * FROM layout_options " .
     "WHERE form_id = 'REF' AND uor > 0 AND field_id != '' " .
@@ -40,14 +45,20 @@
     if ($field_id == 'body' && $title != 'Referral') {
       $value = $_POST["body"];
     }
-    $sets .= ", $field_id = '$value'";
+    //use sql placemaker (note need to explicitly escape the column label)
+    $sets .= ", ".add_escape_custom($field_id)." = ?";
+    array_push($sqlBindArray,$value);
   }
   if ($transid) {
-    sqlStatement("UPDATE transactions SET $sets WHERE id = '$transid'");
+    //use sql placemaker
+    array_push($sqlBindArray,$transid);
+    sqlStatement("UPDATE transactions SET $sets WHERE id = ?", $sqlBindArray);
   }
   else {
-    $sets .= ", pid = '$pid'";
-    $transid = sqlInsert("INSERT INTO transactions SET $sets");
+    //use sql placemaker
+    array_push($sqlBindArray,$pid);
+    $sets .= ", pid = ?";
+    $transid = sqlInsert("INSERT INTO transactions SET $sets", $sqlBindArray);
   }
 
   if ($GLOBALS['concurrent_layout'])
@@ -56,13 +67,16 @@
     $body_onload_code = "javascript:parent.Transactions.location.href='transactions.php';";
 }
 
+/************************************
+//Migrated this to the list_options engine (transactions list)
 $trans_types = array(
   'Referral'          => xl('Referral'),
   'Patient Request'   => xl('Patient Request'),
   'Physician Request' => xl('Physician Request'),
   'Legal'             => xl('Legal'),
   'Billing'           => xl('Billing'),
 );
+************************************/
 
 $CPR = 4; // cells per row
 
@@ -122,7 +136,7 @@ function end_group() {
 </script>
 <script language="JavaScript">
 
-var mypcc = '<?php echo $GLOBALS['phone_country_code'] ?>';
+var mypcc = '<?php echo htmlspecialchars( $GLOBALS['phone_country_code'], ENT_QUOTES); ?>';
 
 function titleChanged() {
  var sel = document.forms[0].title;
@@ -169,7 +183,7 @@ function sel_related() {
 // Process click on Delete link.
 function deleteme() {
 // onclick='return deleteme()'
- dlgopen('../deleter.php?transaction=<?php echo $transid ?>', '_blank', 500, 450);
+ dlgopen('../deleter.php?transaction=<?php echo htmlspecialchars( $transid, ENT_QUOTES); ?>', '_blank', 500, 450);
  return false;
 }
 
@@ -201,11 +215,11 @@ function validate(f) {
  }
 
  var msg = "";
- msg += "<?php xl('The following fields are required', 'e' ); ?>:\n\n";
+ msg += "<?php echo htmlspecialchars( xl('The following fields are required'), ENT_QUOTES); ?>:\n\n";
  for ( var i = 0; i < errMsgs.length; i++ ) {
 	msg += errMsgs[i] + "\n";
  }
- msg += "\n<?php xl('Please fill them in before continuing.', 'e'); ?>";
+ msg += "\n<?php echo htmlspecialchars( xl('Please fill them in before continuing.'), ENT_QUOTES); ?>";
 
  if ( errMsgs.length > 0 ) {
 	alert(msg);
@@ -236,38 +250,29 @@ function submitme() {
 
 </head>
 <body class="body_top" onload="<?php echo $body_onload_code; ?>" >
-<form name='new_transaction' method='post' action='add_transaction.php?transid=<?php echo $transid ?>' onsubmit='return validate(this)'>
+<form name='new_transaction' method='post' action='add_transaction.php?transid=<?php echo htmlspecialchars( $transid, ENT_QUOTES); ?>' onsubmit='return validate(this)'>
 <input type='hidden' name='mode' value='add'>
 
 	<table>
 	    <tr>
             <td>
-                <b><?php xl('Add/Edit Patient Transaction','e'); ?></b>&nbsp;</td><td>
+                <b><?php echo htmlspecialchars( xl('Add/Edit Patient Transaction'), ENT_NOQUOTES); ?></b>&nbsp;</td><td>
                  <a href="javascript:;"  <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="submitme();">
-                    <span><?php xl('Save','e'); ?></span>
+                    <span><?php echo htmlspecialchars( xl('Save'), ENT_NOQUOTES); ?></span>
                  </a>
              </td>
              <td>
                 <a href="transactions.php"  <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-                    <span><?php xl('Cancel','e'); ?></span>
+                    <span><?php echo htmlspecialchars( xl('Cancel'), ENT_NOQUOTES); ?></span>
                 </a>
             </td>
         </tr>
 	</table>
 
 	<table class="text">
 	    <tr><td>
-        <?php xl('Transaction Type','e'); ?>:&nbsp;</td><td>
-        <select name='title' onchange='titleChanged()'>
-        <?php
-        $db_title=$_REQUEST['title'];
-        foreach ($trans_types as $key => $value) {
-          echo "    <option value='$key'";
-          if ($key == $db_title) echo " selected";
-          echo ">$value</option>\n";
-        }
-        ?>
-        </select>
+        <?php echo htmlspecialchars( xl('Transaction Type'), ENT_NOQUOTES); ?>:&nbsp;</td><td>
+	<?php echo generate_select_list('title','transactions',$_REQUEST['title'],'','','','titleChanged()'); ?>
         </td></tr>
 	</table>
 
@@ -302,7 +307,7 @@ function submitme() {
     }
     else if ($field_id == 'body' ) {
       $tmp = sqlQuery("SELECT reason FROM form_encounter WHERE " .
-        "pid = '$pid' ORDER BY date DESC LIMIT 1");
+        "pid = ? ORDER BY date DESC LIMIT 1", array($pid) );
       if (!empty($tmp)) $currvalue = $tmp['reason'];
     }
   }
@@ -314,7 +319,10 @@ function submitme() {
     $last_group = $this_group;
 	if($group_seq==1)	echo "<li class='current'>";
 	else				echo "<li class=''>";
-	echo "<a href='/play/javascript-tabbed-navigation/' id='div_$group_seq'>".xl_layout_label($group_name)."</a></li>";
+        $group_seq_esc = htmlspecialchars( $group_seq, ENT_QUOTES);
+        $group_name_show = htmlspecialchars( xl_layout_label($group_name), ENT_NOQUOTES);
+	echo "<a href='/play/javascript-tabbed-navigation/' id='div_$group_seq_esc'>".
+	    "$group_name_show</a></li>";
   }
   ++$item_count;
 }
@@ -349,7 +357,7 @@ function submitme() {
     }
     else if ($field_id == 'body' && $transid > 0 ) {
 	   $tmp = sqlQuery("SELECT reason FROM form_encounter WHERE " .
-        "pid = '$pid' ORDER BY date DESC LIMIT 1");
+        "pid = ? ORDER BY date DESC LIMIT 1", array($pid) );
       if (!empty($tmp)) $currvalue = $tmp['reason'];
     }
   }
@@ -360,8 +368,9 @@ function submitme() {
     $group_seq  = substr($this_group, 0, 1);
     $group_name = substr($this_group, 1);
     $last_group = $this_group;
-	if($group_seq==1)	echo "<div class='tab current' id='div_$group_seq'>";
-	else				echo "<div class='tab' id='div_$group_seq'>";
+    $group_seq_esc = htmlspecialchars( $group_seq, ENT_QUOTES);
+	if($group_seq==1)	echo "<div class='tab current' id='div_$group_seq_esc'>";
+	else				echo "<div class='tab' id='div_$group_seq_esc'>";
     echo " <table border='0' cellpadding='0'>\n";
     $display_style = 'none';
   }
@@ -377,7 +386,8 @@ function submitme() {
   // Handle starting of a new label cell.
   if ($titlecols > 0) {
     end_cell();
-    echo "<td width='70' valign='top' colspan='$titlecols'";
+    $titlecols_esc = htmlspecialchars( $titlecols, ENT_QUOTES);
+    echo "<td width='70' valign='top' colspan='$titlecols_esc'";
     echo ($frow['uor'] == 2) ? " class='required'" : " class='bold'";
     if ($cell_count == 2) echo " style='padding-left:10pt'";
     echo ">";
@@ -388,14 +398,15 @@ function submitme() {
   echo "<b>";
 
   // Modified 6-09 by BM - Translate if applicable
-  if ($frow['title']) echo (xl_layout_label($frow['title']) . ":"); else echo "&nbsp;";
+  if ($frow['title']) echo (htmlspecialchars( xl_layout_label($frow['title']), ENT_NOQUOTES) . ":"); else echo "&nbsp;";
 
   echo "</b>";
 
   // Handle starting of a new data cell.
   if ($datacols > 0) {
     end_cell();
-    echo "<td valign='top' colspan='$datacols' class='text'";
+    $datacols_esc = htmlspecialchars( $datacols, ENT_QUOTES);
+    echo "<td valign='top' colspan='$datacols_esc' class='text'";
     if ($cell_count > 0) echo " style='padding-left:5pt'";
     echo ">";
     $cell_count += $datacols;
@@ -414,8 +425,8 @@ function submitme() {
 </div>
 <p>
 <div id='otherdiv' style='display:none'>
-<span class='bold'><?php xl('Details','e'); ?>:</span><br>
-<textarea name='body' rows='6' cols='40' wrap='virtual'><?php echo $body; ?>
+<span class='bold'><?php echo htmlspecialchars( xl('Details'), ENT_NOQUOTES); ?>:</span><br>
+<textarea name='body' rows='6' cols='40' wrap='virtual'><?php echo htmlspecialchars( $body, ENT_NOQUOTES); ?>
 </textarea>
 </div>
 </p>

diff --git a/interface/patient_file/transaction/patient_transaction.php b/interface/patient_file/transaction/patient_transaction.php
@@ -1,11 +1,20 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 ?>
 
 <HTML>
 <head>
 <?php html_header_show();?>
-<TITLE><?php xl('Patient Summary','e'); ?>
+<TITLE><?php echo htmlspecialchars( xl('Patient Summary'), ENT_NOQUOTES); ?>
 </TITLE>
 </HEAD>
 <frameset rows="50%,50%" cols="*">