library/formdata.inc.php

   1 <?php
   2 /**
   3  * Functions to globally validate and prepare data for sql database insertion.
   4  *
   5  * Copyright (C) 2009 Rod Roark <rod@sunsetsystems.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 2
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Rod Roark <rod@sunsetsystems.com>
  20  * @author  Brady Miller <brady@sparmy.com>
  21  * @link    http://www.open-emr.org
  22  */
  23
  24 /**
  25  * Escape a parameter to prepare for a sql query.
  26  *
  27  * @param   string $s  Parameter to be escaped.
  28  * @return  string     Escaped parameter.
  29  */
  30 function add_escape_custom($s) {
  31       //prepare for safe mysql insertion
  32       $s = mysql_real_escape_string($s);
  33       return $s;
  34 }
  35
  36 /**
  37  * Escape a sql limit variable to prepare for a sql query.
  38  *
  39  * This will escape integers within the LIMIT ?, ? part of a sql query.
  40  * Note that there is a maximum value to these numbers, which is why
  41  * should only use for the LIMIT ? , ? part of the sql query and why
  42  * this is centralized to a function (in case need to upgrade this
  43  * function to support larger numbers in the future).
  44  *
  45  * @param   string $s  Limit variable to be escaped.
  46  * @return  string     Escaped limit variable.
  47  */
  48 function escape_limit($s) {
  49       //prepare for safe mysql insertion
  50       $s = (int)$s;
  51       return $s;
  52 }
  53
  54 /**
  55  * Escape/sanitize a sql sort order keyword variable to prepare for a sql query.
  56  *
  57  * This will escape/sanitize the sort order keyword. It is done by whitelisting
  58  * only certain keywords(asc,desc). If the keyword is illegal, then will default
  59  * to asc.
  60  *
  61  * @param   string $s  Sort order keyword variable to be escaped/sanitized.
  62  * @return  string     Escaped sort order keyword variable.
  63  */
  64 function escape_sort_order($s) {
  65       $ok = array("asc","desc");
  66       $key = array_search(strtolower($s),$ok);
  67       return $ok[$key];
  68 }
  69
  70 /**
  71  * Escape/sanitize a sql identifier variable to prepare for a sql query.
  72  *
  73  * This will escape/sanitize a sql identifier. There are two options provided by this funtion.
  74  * The first option is done by whitelisting ($whitelist_flag=true) and in this case
  75  * only certain identifiers (listed in the $whitelist_items array) can be used; if
  76  * there is no match, then it will default to the first item in the $whitelist_items array.
  77  * The second option is done by sanitizing ($whitelist_flag=false) and in this case
  78  * only US alphanumeric,'_' and '.' items are kept in the returned string. Note
  79  * the second option is still experimental as we figure out the ideal items to
  80  * filter out of the identifier. The first option is ideal if all the possible identifiers
  81  * are known, however we realize this may not always be the case.
  82  *
  83  * @param   string  $s                Sql identifier variable to be escaped/sanitized.
  84  * @param   boolean $whitelist_flag   True to use whitelisting method (See function description for details of whitelisting method).
  85  * @param   array   $whitelist_items  Items used in whitelisting method (See function description for details of whitelisting method).
  86  * @return  string                    Escaped/sanitized sql identifier variable.
  87  */
  88 function escape_identifier($s,$whitelist_flag=FALSE,$whitelist_items) {
  89       if ($whitelist_flag) {
  90             // Only return an item within the whitelist_items
  91             //  (if no match, then it will return the first item in whitelist_items)
  92             $ok = $whitelist_items;
  93             $key = array_search($s,$ok);
  94             return $ok[$key];
  95       }
  96       else {
  97             // Return an item that has been "cleaned" up
  98             // (this is currently experimental)
  99             return preg_replace('/[^a-zA-Z0-9_.]/','',$s);
 100       }
 101 }
 102
 103 /**
 104  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 105  * Function to manage POST, GET, and REQUEST variables.
 106  *
 107  * @param string $name name of the variable requested.
 108  * @param string $type 'P', 'G' for post or get data, otherwise uses request.
 109  * @param bool $istrim whether to use trim() on the data.
 110  * @return string variable requested, or empty string
 111  */
 112 function formData($name, $type='P', $isTrim=false) {
 113   if ($type == 'P')
 114     $s = isset($_POST[$name]) ? $_POST[$name] : '';
 115   else if ($type == 'G')
 116     $s = isset($_GET[$name]) ? $_GET[$name] : '';
 117   else
 118     $s = isset($_REQUEST[$name]) ? $_REQUEST[$name] : '';
 119
 120   return formDataCore($s,$isTrim);
 121 }
 122
 123 /**
 124  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 125  * Core function that will be called by formData.
 126  * Note it can also be called directly if preparing
 127  * normal variables (not GET,POST, or REQUEST)
 128  *
 129  * @param string $s
 130  * @param bool $istrim whether to use trim() on the data.
 131  * @return string
 132  */
 133 function formDataCore($s, $isTrim=false) {
 134       //trim if selected
 135       if ($isTrim) {$s = trim($s);}
 136       //strip escapes
 137       $s = strip_escape_custom($s);
 138       //add escapes for safe database insertion
 139       $s = add_escape_custom($s);
 140       return $s;
 141 }
 142
 143 /**
 144  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 145  * Will remove escapes if needed (ie magic quotes turned on) from string
 146  * Called by above formDataCore() function to prepare for database insertion.
 147  * Can also be called directly if simply need to remove escaped characters
 148  * from a string before processing.
 149  *
 150  * @param string $s
 151  * @return string
 152  */
 153 function strip_escape_custom($s) {
 154       //strip slashes if magic quotes turned on
 155       if (get_magic_quotes_gpc()) {$s = stripslashes($s);}
 156       return $s;
 157 }
 158
 159 /**
 160  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 161  * This function is only being kept to support
 162  * previous functionality. If you want to trim
 163  * variables, this should be done using above
 164  * functions.
 165  *
 166  * @param string $s
 167  * @return string
 168  */
 169 function formTrim($s) {
 170   return formDataCore($s,true);
 171 }
 172 ?>