patients/get_patient_info.php

   1 <?php
   2  // Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
   3  //
   4  // This program is free software; you can redistribute it and/or
   5  // modify it under the terms of the GNU General Public License
   6  // as published by the Free Software Foundation; either version 2
   7  // of the License, or (at your option) any later version.
   8
   9     //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
  10         session_start();
  11         session_regenerate_id(true);
  12     //
  13
  14     //landing page definition -- where to go if something goes wrong
  15         $landingpage = "index.php?site=".$_SESSION['site_id'];
  16     //
  17
  18     //checking whether the request comes from index.php
  19         if (!isset($_SESSION['itsme'])) {
  20                 session_destroy();
  21                 header('Location: '.$landingpage.'&w');
  22                 exit;
  23         }
  24     //
  25
  26     //some validation
  27         if (!isset($_POST['uname']) || empty($_POST['uname'])) {
  28                 session_destroy();
  29                 header('Location: '.$landingpage.'&w&c');
  30                 exit;
  31         }
  32         if (!isset($_POST['code']) || empty($_POST['code'])) {
  33                 session_destroy();
  34                 header('Location: '.$landingpage.'&w&c');
  35                 exit;
  36         }
  37     //
  38
  39     //SANITIZE ALL ESCAPES
  40     $fake_register_globals=false;
  41
  42     //STOP FAKE REGISTER GLOBALS
  43     $sanitize_all_escapes=true;
  44
  45     //Settings that will override globals.php
  46         $ignoreAuth = 1;
  47     //
  48
  49     //Authentication (and language setting)
  50         require_once('../interface/globals.php');
  51
  52         // set the language
  53         if (!empty($_POST['languageChoice'])) {
  54                 $_SESSION['language_choice'] = $_POST['languageChoice'];
  55         }
  56         else if (empty($_SESSION['language_choice'])) {
  57                 // just in case both are empty, then use english
  58                 $_SESSION['language_choice'] = 1;
  59         }
  60         else {
  61                 // keep the current session language token
  62         }
  63
  64         $authorizedPortal=false; //flag
  65
  66         $sql = "SELECT * FROM `patient_access_onsite` WHERE `portal_username` = ? AND `portal_pwd` = ?";
  67
  68                 if ($auth = sqlQuery($sql, array($_POST['uname'],$_POST['code']) )) { // if query gets executed
  69                         if (empty($auth)) { // no results found
  70                                 session_destroy();
  71                                 header('Location: '.$landingpage.'&w');
  72                                 exit;
  73                         }
  74                 } else { // sql error
  75                         session_destroy();
  76                         header('Location: '.$landingpage.'&w');
  77                         exit;
  78                 }
  79
  80                 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
  81
  82                 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
  83
  84                         if (empty($userData)) {
  85                                 // no records for this pid, so escape
  86                                 session_destroy();
  87                                 header('Location: '.$landingpage.'&w');
  88                                 exit;
  89                         }
  90
  91                         if ($userData['allow_patient_portal'] != "YES") {
  92                                 // Patient has not authorized portal, so escape
  93                                 session_destroy();
  94                                 header('Location: '.$landingpage.'&w');
  95                                 exit;
  96                         }
  97
  98                         if ($auth['pid'] != $userData['pid']) {
  99                                 // Not sure if this is even possible, but should escape if this happens
 100                                 session_destroy();
 101                                 header('Location: '.$landingpage.'&w');
 102                                 exit;
 103                         }
 104
 105                         if ($auth['portal_pwd_status'] == 0) {
 106                                 if ( isset($_SESSION['password_update']) && !(empty($_POST['code_new'])) && !(empty($_POST['code_new_confirm'])) && ($_POST['code_new'] == $_POST['code_new_confirm']) ) {
 107                                         // Update the password and continue (patient is authorized)
 108                                         sqlStatement("UPDATE `patient_access_onsite` SET `portal_username`=?,`portal_pwd`=?,portal_pwd_status=1 WHERE pid=?", array($_POST['uname'],$_POST['code_new'],$auth['pid']) );
 109                                         $authorizedPortal = true;
 110                                 }
 111                                 else {
 112                                         // Need to enter a new password in the index.php script
 113                                         $_SESSION['password_update'] = 1;
 114                                         header('Location: '.$landingpage);
 115                                         exit;
 116                                 }
 117                         }
 118
 119                         if ($auth['portal_pwd_status'] == 1) {
 120                                 // continue (patient is authorized)
 121                                 $authorizedPortal = true;
 122                         }
 123
 124                         if ($authorizedPortal) {
 125                                 // patient is authorized (prepare the session variables)
 126                                 unset($_SESSION['password_update']); // just being safe
 127                                 unset($_SESSION['itsme']); // just being safe
 128                                 $_SESSION['pid'] = $auth['pid'];
 129                                 $_SESSION['patient_portal_onsite'] = 1;
 130                         }
 131                         else {
 132                                 session_destroy();
 133                                 header('Location: '.$landingpage.'&w');
 134                                 exit;
 135                         }
 136
 137                 }
 138                 else { //problem with query
 139                         session_destroy();
 140                         header('Location: '.$landingpage.'&w');
 141                         exit;
 142                 }
 143     //
 144
 145     require_once('summary_pat_portal.php');
 146
 147 ?>