portal fixes (#1795)

bradymiller · web-flow · commit 4963fe4932a0 · 2018-08-12T00:49:28.000-07:00
diff --git a/portal/index.php b/portal/index.php
@@ -349,7 +349,7 @@ function validate_new_pass() {
 
 <?php // if something went wrong
 if (isset($_GET['requestNew'])) {
-    $_SESSION['patient_portal_onsite_two'] = true;
+    $_SESSION['register'] = true;
     $_SESSION['authUser'] = 'portal-user';
     $_SESSION['pid'] = true;
     ?>
diff --git a/portal/lib/appsql.class.php b/portal/lib/appsql.class.php
@@ -169,7 +169,7 @@ public function portalAudit($type = 'insert', $rec = '', array $auditvals, $oelo
                 $logsql = "update onsite_portal_activity set date=?, patient_id=?, activity=?, require_audit=?,".
                         "            pending_action=?, action_taken=?,status=?, narrative=?, table_action=?, table_args=?,".
                                         "action_user=?, action_taken_time=?, checksum=? ";
-                $logsql .= "where id=".$rec ." And patient_id=".$audit['patient_id'];
+                $logsql .= "where id='" . add_escape_custom($rec) . "' And patient_id='" . add_escape_custom($audit['patient_id']) . "'";
             }
 
             $return = sqlStatementNoLog($logsql, $audit);
diff --git a/portal/lib/download_template.php b/portal/lib/download_template.php
@@ -128,10 +128,10 @@ function doSubs($s)
     $nextLocation = 0;
     $groupLevel = 0;
     $groupCount = 0;
-    
+
     while (($keyLocation = strpos($s, '{', $nextLocation)) !== false) {
         $nextLocation = $keyLocation + 1;
-        
+
         if (keySearch($s, '{PatientSignature}')) {
             $fn = $GLOBALS['web_root'] . '/portal/sign/assets/signhere.png';
             $sigfld = '<span>';
@@ -231,7 +231,7 @@ function doSubs($s)
             $patientid = $ptrow['pid'];
             $DOS = substr($enrow['date'], 0, 10);
             // Prefer appointment comment if one is present.
-            $evlist = fetchEvents($DOS, $DOS, " AND pc_pid = '$patientid' ");
+            $evlist = fetchEvents($DOS, $DOS, " AND pc_pid = ? ", null, false, 0, array($patientid));
             foreach ($evlist as $tmp) {
                 if ($tmp['pc_pid'] == $pid && ! empty($tmp['pc_hometext'])) {
                     $cc = $tmp['pc_hometext'];
@@ -345,7 +345,7 @@ function doSubs($s)
             $s = keyReplace($s, dataFixup($data, $title));
         }
     } // End if { character found.
-    
+
     return $s;
 }
 // Get patient demographic info.
@@ -368,9 +368,12 @@ function doSubs($s)
 }
 
 $templatedir = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates';
+
+check_file_dir_name($form_filename);
 $templatepath = "$templatedir/$form_filename";
 // test if this is folder with template, if not, must be for a specific patient
 if (! file_exists($templatepath)) {
+    check_file_dir_name($pid);
     $templatepath = "$templatedir/" . $pid . "/$form_filename";
 }
 

Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ public function portalAudit($type = 'insert', $rec = '', array $auditvals, $oelo`
`169`	`169`	`$logsql = "update onsite_portal_activity set date=?, patient_id=?, activity=?, require_audit=?,".`
`170`	`170`	`" pending_action=?, action_taken=?,status=?, narrative=?, table_action=?, table_args=?,".`
`171`	`171`	`"action_user=?, action_taken_time=?, checksum=? ";`
`172`		`- $logsql .= "where id=".$rec ." And patient_id=".$audit['patient_id'];`
	`172`	`+ $logsql .= "where id='" . add_escape_custom($rec) . "' And patient_id='" . add_escape_custom($audit['patient_id']) . "'";`
`173`	`173`	`}`
`174`	`174`
`175`	`175`	`$return = sqlStatementNoLog($logsql, $audit);`