From 61c95e62f79ad2afb68a2e8b1f81e3cca20b99ea Mon Sep 17 00:00:00 2001 From: bradymiller Date: Sat, 1 Dec 2012 18:17:09 -0800 Subject: [PATCH] Implement new security model in LBF forms. --- interface/forms/LBF/new.php | 87 +++++++++++++++++++++------------------ interface/forms/LBF/printable.php | 28 ++++++++----- interface/forms/LBF/report.php | 2 +- 3 files changed, 66 insertions(+), 51 deletions(-) diff --git a/interface/forms/LBF/new.php b/interface/forms/LBF/new.php index 0b6919285..e24aaca7d 100644 --- a/interface/forms/LBF/new.php +++ b/interface/forms/LBF/new.php @@ -6,6 +6,12 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; + require_once("../../globals.php"); require_once("$srcdir/api.inc"); require_once("$srcdir/forms.inc"); @@ -67,12 +73,12 @@ function end_group() { } } -$formname = formData('formname', 'G'); -$formid = 0 + formData('id', 'G'); +$formname = isset($_GET['formname']) ? $_GET['formname'] : ''; +$formid = 0 + (isset($_GET['id']) ? $_GET['id'] : ''); // Get title and number of history columns for this form. $tmp = sqlQuery("SELECT title, option_value FROM list_options WHERE " . - "list_id = 'lbfnames' AND option_id = '$formname'"); + "list_id = 'lbfnames' AND option_id = ?", array($formname) ); $formtitle = $tmp['title']; $formhistory = 0 + $tmp['option_value']; @@ -83,34 +89,37 @@ $newid = 0; if ($_POST['bn_save']) { $sets = ""; $fres = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formname' AND uor > 0 AND field_id != '' AND " . + "WHERE form_id = ? AND uor > 0 AND field_id != '' AND " . "edit_options != 'H' " . - "ORDER BY group_name, seq"); + "ORDER BY group_name, seq", array($formname) ); while ($frow = sqlFetchArray($fres)) { $field_id = $frow['field_id']; $value = get_layout_form_value($frow); + $sql_bind_array = array(); if ($formid) { // existing form if ($value === '') { $query = "DELETE FROM lbf_data WHERE " . - "form_id = '$formid' AND field_id = '$field_id'"; + "form_id = ? AND field_id = ?"; + array_push($sql_bind_array,$formid,$field_id); } else { - $query = "REPLACE INTO lbf_data SET field_value = '$value', " . - "form_id = '$formid', field_id = '$field_id'"; + $query = "REPLACE INTO lbf_data SET field_value = ?, " . + "form_id = ?, field_id = ?"; + array_push($sql_bind_array,$value,$formid,$field_id); } - sqlStatement($query); + sqlStatement($query,$sql_bind_array); } else { // new form if ($value !== '') { if ($newid) { sqlStatement("INSERT INTO lbf_data " . "( form_id, field_id, field_value ) " . - " VALUES ( '$newid', '$field_id', '$value' )"); + " VALUES (?,?,?)", array($newid, $field_id, $value) ); } else { $newid = sqlInsert("INSERT INTO lbf_data " . "( field_id, field_value ) " . - " VALUES ( '$field_id', '$value' )"); + " VALUES (?,?)", array($field_id, $value) ); } } // Note that a completely empty form will not be created at all! @@ -227,20 +236,20 @@ function sel_related() { topmargin="0" rightmargin="0" leftmargin="2" bottommargin="0" marginwidth="2" marginheight="0"> -
\n"; - echo "$formtitle " . xl('for') . ' '; - echo $enrow['fname'] . ' ' . $enrow['mname'] . ' ' . $enrow['lname']; - echo ' ' . htmlspecialchars(xl('on')) . ' ' . substr($enrow['date'], 0, 10); + echo text($formtitle) . " " . xlt('for') . ' '; + echo text($enrow['fname']) . ' ' . text($enrow['mname']) . ' ' . text($enrow['lname']); + echo ' ' . xlt('on') . ' ' . text(substr($enrow['date'], 0, 10)); echo "

\n"; } ?> @@ -252,8 +261,8 @@ function sel_related() { $shrow = getHistoryData($pid); $fres = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formname' AND uor > 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formname) ); $last_group = ''; $cell_count = 0; $item_count = 0; @@ -289,7 +298,7 @@ function sel_related() { } else { if ($formid) { $pprow = sqlQuery("SELECT field_value FROM lbf_data WHERE " . - "form_id = '$formid' AND field_id = '$field_id'"); + "form_id = ? AND field_id = ?", array($formid, $field_id) ); if (!empty($pprow)) $currvalue = $pprow['field_value']; } else { @@ -310,11 +319,11 @@ function sel_related() { // If group name is blank, no checkbox or div. if (strlen($this_group) > 1) { - echo "
" . htmlspecialchars(xl_layout_label($group_name)) . "\n"; - echo "
\n"; + echo " />" . text(xl_layout_label($group_name)) . "\n"; + echo "
\n"; } // echo " \n"; echo "
\n"; @@ -324,8 +333,8 @@ function sel_related() { $historical_ids = array(); if ($formhistory > 0) { echo " "; - echo "\n"; $hres = sqlStatement("SELECT f.form_id, fe.date " . "FROM forms AS f, form_encounter AS fe WHERE " . @@ -340,8 +349,8 @@ function sel_related() { // at some point we may wish to show also the data entry date/time. while ($hrow = sqlFetchArray($hres)) { $historical_ids[$hrow['form_id']] = ''; - echo "\n"; + echo "\n"; } echo " "; } @@ -363,17 +372,17 @@ function sel_related() { // Handle starting of a new label cell. if ($titlecols > 0) { end_cell(); - echo "
"; - if (empty($is_lbf)) echo htmlspecialchars(xl('Current')); + echo ""; + if (empty($is_lbf)) echo xlt('Current'); echo " " . - oeFormatShortDate(substr($hrow['date'], 0, 10)) . " " . + text(oeFormatShortDate(substr($hrow['date'], 0, 10))) . "
"; foreach ($historical_ids as $key => $dummy) { - $historical_ids[$key] .= ""; + $historical_ids[$key] .= ""; } $cell_count += $titlecols; @@ -381,7 +390,7 @@ function sel_related() { ++$item_count; echo ""; - if ($frow['title']) echo htmlspecialchars(xl_layout_label($frow['title']) . ":"); else echo " "; + if ($frow['title']) echo text(xl_layout_label($frow['title']) . ":"); else echo " "; echo ""; // Note the labels are not repeated in the history columns. @@ -389,12 +398,12 @@ function sel_related() { // Handle starting of a new data cell. if ($datacols > 0) { end_cell(); - echo " 0) echo " style='padding-left:5pt'"; echo ">"; foreach ($historical_ids as $key => $dummy) { - $historical_ids[$key] .= ""; + $historical_ids[$key] .= ""; } $cell_count += $datacols; @@ -413,7 +422,7 @@ function sel_related() { // Append to historical data of other dates for this item. foreach ($historical_ids as $key => $dummy) { $hvrow = sqlQuery("SELECT field_value FROM lbf_data WHERE " . - "form_id = '$key' AND field_id = '$field_id'"); + "form_id = ? AND field_id = ?", array($key, $field_id) ); $value = empty($hvrow) ? '' : $hvrow['field_value']; $historical_ids[$key] .= generate_display_field($frow, $value); } @@ -425,16 +434,16 @@ function sel_related() {

-' /> +' />   -' onclick="top.restoreSession();location=''" /> +' onclick="top.restoreSession();location=''" />   -' onclick="top.restoreSession();location='../../patient_file/encounter/trend_form.php?formname='" /> +' onclick="top.restoreSession();location='../../patient_file/encounter/trend_form.php?formname='" />   -' onclick='window.back();' /> +' onclick='window.back();' />

diff --git a/interface/forms/LBF/printable.php b/interface/forms/LBF/printable.php index ac9beb1a9..03871eb37 100644 --- a/interface/forms/LBF/printable.php +++ b/interface/forms/LBF/printable.php @@ -6,6 +6,12 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; + require_once("../../globals.php"); require_once("$srcdir/acl.inc"); require_once("$srcdir/options.inc.php"); @@ -14,15 +20,15 @@ require_once("$srcdir/patient.inc"); $CPR = 4; // cells per row // The form name is passed to us as a GET parameter. -$formname = formData('formname', 'G'); +$formname = isset($_GET['formname']) ? $_GET['formname'] : ''; $tmp = sqlQuery("SELECT title FROM list_options WHERE " . - "list_id = 'lbfnames' AND option_id = '$formname' LIMIT 1"); + "list_id = 'lbfnames' AND option_id = ? LIMIT 1", array($formname) ); $formtitle = $tmp['title']; $fres = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formname' AND uor > 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formname) ); ?> @@ -88,9 +94,9 @@ div.section { - : ________________________________________   - : ____________________   - : ____________________
 
+ : ________________________________________   + : ____________________   + : ____________________
 
 0) echo "
\n"; $group_name = substr($this_group, 1); $last_group = $this_group; - echo "" . xl_layout_label($group_name) . "\n"; + echo "" . text(xl_layout_label($group_name)) . "\n"; echo "
\n"; echo " \n"; @@ -160,7 +166,7 @@ while ($frow = sqlFetchArray($fres)) { // Handle starting of a new label cell. if ($titlecols > 0) { end_cell(); - echo "
"; @@ -170,14 +176,14 @@ while ($frow = sqlFetchArray($fres)) { echo ""; - if ($frow['title']) echo (xl_layout_label($frow['title']) . ":"); else echo " "; + if ($frow['title']) echo (text(xl_layout_label($frow['title'])) . ":"); else echo " "; echo ""; // Handle starting of a new data cell. if ($datacols > 0) { end_cell(); - echo " 25) echo " class='under'"; if ($cell_count > 0) echo " style='padding-left:5pt;'"; echo ">"; diff --git a/interface/forms/LBF/report.php b/interface/forms/LBF/report.php index a75c64a4b..753a6a697 100644 --- a/interface/forms/LBF/report.php +++ b/interface/forms/LBF/report.php @@ -18,7 +18,7 @@ function lbf_report($pid, $encounter, $cols, $id, $formname) { echo "\n"; $arr = array(); - $fres = sqlStatement("SELECT field_id, field_value FROM lbf_data WHERE form_id = '$id'"); + $fres = sqlStatement("SELECT field_id, field_value FROM lbf_data WHERE form_id = ?", array($id) ); while ($frow = sqlFetchArray($fres)) { $arr[$frow['field_id']] = $frow['field_value']; } -- 2.11.4.GIT