patients/get_patient_info.php

   1 <?php
   2 /**
   3  * Generated DocBlock
   4  *
   5  * @package OpenEMR
   6  * @link    http://www.open-emr.org
   7  * @author  Oleg Sverdlov <olegsv@matrix.co.il>
   8  * @author  Cassian LUP <cassi.lup@gmail.com>
   9  * @author  Robert Down <robertdown@live.com>
  10  * @author  Wakie87 <scott@npclinics.com.au>
  11  * @author  amielboim <amielboim@gmail.com>
  12  * @author  Brady Miller <brady.g.miller@gmail.com>
  13  * @author  Kevin Yeh <kevinyeh@alum.mit.edu>
  14  * @copyright Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
  15  * @copyright Copyright (c) 2016 Oleg Sverdlov <olegsv@matrix.co.il>
  16  * @copyright Copyright (c) 2011 Cassian LUP <cassi.lup@gmail.com>
  17  * @copyright Copyright (c) 2017 Robert Down <robertdown@live.com>
  18  * @copyright Copyright (c) 2016 Wakie87 <scott@npclinics.com.au>
  19  * @copyright Copyright (c) 2016 amielboim <amielboim@gmail.com>
  20  * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
  21  * @copyright Copyright (c) 2013 Kevin Yeh <kevinyeh@alum.mit.edu>
  22  * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  23  */
  24 ?>
  25 <?php
  26
  27
  28     //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
  29         session_start();
  30         session_regenerate_id(true);
  31     //
  32
  33     //landing page definition -- where to go if something goes wrong
  34     $landingpage = "index.php?site=".$_SESSION['site_id'];
  35     //
  36
  37     //checking whether the request comes from index.php
  38 if (!isset($_SESSION['itsme'])) {
  39     session_destroy();
  40     header('Location: '.$landingpage.'&w');
  41     exit;
  42 }
  43
  44     //
  45
  46     //some validation
  47 if (!isset($_POST['uname']) || empty($_POST['uname'])) {
  48     session_destroy();
  49     header('Location: '.$landingpage.'&w&c');
  50     exit;
  51 }
  52
  53 if (!isset($_POST['pass']) || empty($_POST['pass'])) {
  54     session_destroy();
  55     header('Location: '.$landingpage.'&w&c');
  56     exit;
  57 }
  58
  59     //
  60
  61     // set the language
  62 if (!empty($_POST['languageChoice'])) {
  63     $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
  64 } else if (empty($_SESSION['language_choice'])) {
  65     // just in case both are empty, then use english
  66     $_SESSION['language_choice'] = 1;
  67 } else {
  68     // keep the current session language token
  69 }
  70
  71     //Settings that will override globals.php
  72     $ignoreAuth = 1;
  73     //
  74
  75     //Authentication
  76     require_once('../interface/globals.php');
  77     require_once("$srcdir/authentication/common_operations.php");
  78     $password_update=isset($_SESSION['password_update']);
  79     unset($_SESSION['password_update']);
  80     $plain_code= $_POST['pass'];
  81
  82
  83     $authorizedPortal=false; //flag
  84     DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
  85     DEFINE("COL_PID", "pid");
  86     DEFINE("COL_POR_PWD", "portal_pwd");
  87     DEFINE("COL_POR_USER", "portal_username");
  88     DEFINE("COL_POR_SALT", "portal_salt");
  89     DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
  90     $sql= "SELECT ".implode(",", array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
  91           ." FROM ".TBL_PAT_ACC_ON
  92           ." WHERE ".COL_POR_USER."=?";
  93             $auth = privQuery($sql, array($_POST['uname']));
  94 if ($auth===false) {
  95     session_destroy();
  96     header('Location: '.$landingpage.'&w');
  97     exit;
  98 }
  99
 100 if (empty($auth[COL_POR_SALT])) {
 101     if (SHA1($plain_code)!=$auth[COL_POR_PWD]) {
 102         session_destroy();
 103         header('Location: '.$landingpage.'&w');
 104         exit;
 105     }
 106
 107     $new_salt=oemr_password_salt();
 108     $new_hash=oemr_password_hash($plain_code, $new_salt);
 109     $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
 110       ." SET " .COL_POR_PWD."=?, "
 111       . COL_POR_SALT . "=? "
 112       ." WHERE ".COL_ID."=?";
 113     privStatement($sqlUpdatePwd, array($new_hash,$new_salt,$auth[COL_ID]));
 114 } else {
 115     if (oemr_password_hash($plain_code, $auth[COL_POR_SALT])!=$auth[COL_POR_PWD]) {
 116         session_destroy();
 117         header('Location: '.$landingpage.'&w');
 118         exit;
 119     }
 120 }
 121
 122             $_SESSION['portal_username']=$_POST['uname'];
 123     $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
 124
 125 if ($userData = sqlQuery($sql, array($auth['pid']))) { // if query gets executed
 126
 127     if (empty($userData)) {
 128                         // no records for this pid, so escape
 129         session_destroy();
 130                         header('Location: '.$landingpage.'&w');
 131         exit;
 132     }
 133
 134     if ($userData['allow_patient_portal'] != "YES") {
 135         // Patient has not authorized portal, so escape
 136         session_destroy();
 137                         header('Location: '.$landingpage.'&w');
 138         exit;
 139     }
 140
 141     if ($auth['pid'] != $userData['pid']) {
 142         // Not sure if this is even possible, but should escape if this happens
 143         session_destroy();
 144         header('Location: '.$landingpage.'&w');
 145         exit;
 146     }
 147
 148     if ($password_update) {
 149             $code_new=$_POST['pass_new'];
 150             $code_new_confirm=$_POST['pass_new_confirm'];
 151         if (!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
 152             $new_salt=oemr_password_salt();
 153             $new_hash=oemr_password_hash($code_new, $new_salt);
 154
 155             // Update the password and continue (patient is authorized)
 156             privStatement("UPDATE ".TBL_PAT_ACC_ON
 157                   ."  SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']));
 158             $authorizedPortal = true;
 159         }
 160     }
 161
 162     if ($auth['portal_pwd_status'] == 0) {
 163         if (!$authorizedPortal) {
 164             // Need to enter a new password in the index.php script
 165             $_SESSION['password_update'] = 1;
 166                             header('Location: '.$landingpage);
 167             exit;
 168         }
 169     }
 170
 171     if ($auth['portal_pwd_status'] == 1) {
 172         // continue (patient is authorized)
 173         $authorizedPortal = true;
 174     }
 175
 176     if ($authorizedPortal) {
 177                     // patient is authorized (prepare the session variables)
 178         unset($_SESSION['password_update']); // just being safe
 179         unset($_SESSION['itsme']); // just being safe
 180         $_SESSION['pid'] = $auth['pid'];
 181         $_SESSION['patient_portal_onsite'] = 1;
 182     } else {
 183         session_destroy();
 184         header('Location: '.$landingpage.'&w');
 185         exit;
 186     }
 187 } else { //problem with query
 188     session_destroy();
 189     header('Location: '.$landingpage.'&w');
 190     exit;
 191 }
 192
 193     require_once('summary_pat_portal.php');