search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed log viewer bug that caused some entries to go missing from the dropdown of...
[openemr.git] / patients / get_patient_info.php
blobf8bb90a1ca896336d97657473f269664ce73dd90
1 <?php
2 // Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
3 //
4 // This program is free software; you can redistribute it and/or
5 // modify it under the terms of the GNU General Public License
6 // as published by the Free Software Foundation; either version 2
7 // of the License, or (at your option) any later version.
8
9 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
10 session_start();
11 session_regenerate_id(true);
12 //
13
14 //landing page definition -- where to go if something goes wrong
15 $landingpage = "index.php?site=".$_SESSION['site_id'];
16 //
17
18 //checking whether the request comes from index.php
19 if (!isset($_SESSION['itsme'])) {
20 session_destroy();
21 header('Location: '.$landingpage.'&w');
22 exit;
23 }
24 //
25
26 //some validation
27 if (!isset($_POST['uname']) || empty($_POST['uname'])) {
28 session_destroy();
29 header('Location: '.$landingpage.'&w&c');
30 exit;
31 }
32 if (!isset($_POST['pass']) || empty($_POST['pass'])) {
33 session_destroy();
34 header('Location: '.$landingpage.'&w&c');
35 exit;
36 }
37 //
38
39 //SANITIZE ALL ESCAPES
40 $fake_register_globals=false;
41
42 //STOP FAKE REGISTER GLOBALS
43 $sanitize_all_escapes=true;
44
45 //Settings that will override globals.php
46 $ignoreAuth = 1;
47 //
48
49 //Authentication (and language setting)
50 require_once('../interface/globals.php');
51 require_once("$srcdir/authentication/common_operations.php");
52 $password_update=isset($_SESSION['password_update']);
53 unset($_SESSION['password_update']);
54 $plain_code= $_POST['pass'];
55 // set the language
56 if (!empty($_POST['languageChoice'])) {
57 $_SESSION['language_choice'] = $_POST['languageChoice'];
58 }
59 else if (empty($_SESSION['language_choice'])) {
60 // just in case both are empty, then use english
61 $_SESSION['language_choice'] = 1;
62 }
63 else {
64 // keep the current session language token
65 }
66
67 $authorizedPortal=false; //flag
68 DEFINE("TBL_PAT_ACC_ON","patient_access_onsite");
69 DEFINE("COL_PID","pid");
70 DEFINE("COL_POR_PWD","portal_pwd");
71 DEFINE("COL_POR_USER","portal_username");
72 DEFINE("COL_POR_SALT","portal_salt");
73 DEFINE("COL_POR_PWD_STAT","portal_pwd_status");
74 $sql= "SELECT ".implode(",",array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
75 ." FROM ".TBL_PAT_ACC_ON
76 ." WHERE ".COL_POR_USER."=?";
77 $auth = privQuery($sql, array($_POST['uname']));
78 if($auth===false)
79 {
80 session_destroy();
81 header('Location: '.$landingpage.'&w');
82 exit;
83 }
84 if(empty($auth[COL_POR_SALT]))
85 {
86 if(SHA1($plain_code)!=$auth[COL_POR_PWD])
87 {
88 session_destroy();
89 header('Location: '.$landingpage.'&w');
90 exit;
91 }
92 $new_salt=password_salt();
93 $new_hash=password_hash($plain_code,$new_salt);
94 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
95 ." SET " .COL_POR_PWD."=?, "
96 . COL_POR_SALT . "=? "
97 ." WHERE ".COL_ID."=?";
98 privStatement($sqlUpdatePwd,array($new_hash,$new_salt,$auth[COL_ID]));
99 }
100 else {
101 if(password_hash($plain_code,$auth[COL_POR_SALT])!=$auth[COL_POR_PWD])
102 {
103 session_destroy();
104 header('Location: '.$landingpage.'&w');
105 exit;
106
107 }
108
109 }
110 $_SESSION['portal_username']=$_POST['uname'];
111 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
112
113 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
114
115 if (empty($userData)) {
116 // no records for this pid, so escape
117 session_destroy();
118 header('Location: '.$landingpage.'&w');
119 exit;
120 }
121
122 if ($userData['allow_patient_portal'] != "YES") {
123 // Patient has not authorized portal, so escape
124 session_destroy();
125 header('Location: '.$landingpage.'&w');
126 exit;
127 }
128
129 if ($auth['pid'] != $userData['pid']) {
130 // Not sure if this is even possible, but should escape if this happens
131 session_destroy();
132 header('Location: '.$landingpage.'&w');
133 exit;
134 }
135
136 if ( $password_update)
137 {
138 $code_new=$_POST['pass_new'];
139 $code_new_confirm=$_POST['pass_new_confirm'];
140 if(!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
141 $new_salt=password_salt();
142 $new_hash=password_hash($code_new,$new_salt);
143
144 // Update the password and continue (patient is authorized)
145 privStatement("UPDATE ".TBL_PAT_ACC_ON
146 ." SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']) );
147 $authorizedPortal = true;
148 }
149 }
150 if ($auth['portal_pwd_status'] == 0) {
151 if(!$authorizedPortal) {
152 // Need to enter a new password in the index.php script
153 $_SESSION['password_update'] = 1;
154 header('Location: '.$landingpage);
155 exit;
156 }
157 }
158
159 if ($auth['portal_pwd_status'] == 1) {
160 // continue (patient is authorized)
161 $authorizedPortal = true;
162 }
163
164 if ($authorizedPortal) {
165 // patient is authorized (prepare the session variables)
166 unset($_SESSION['password_update']); // just being safe
167 unset($_SESSION['itsme']); // just being safe
168 $_SESSION['pid'] = $auth['pid'];
169 $_SESSION['patient_portal_onsite'] = 1;
170 }
171 else {
172 session_destroy();
173 header('Location: '.$landingpage.'&w');
174 exit;
175 }
176
177 }
178 else { //problem with query
179 session_destroy();
180 header('Location: '.$landingpage.'&w');
181 exit;
182 }
183 //
184
185 require_once('summary_pat_portal.php');
186
187 ?>
Mirror of official OpenEMR Sourceforge repository