From 98a204219828fb815c21d3f6dcbe924acbf402e0 Mon Sep 17 00:00:00 2001 From: bradymiller Date: Wed, 27 Jun 2012 16:51:10 -0700 Subject: [PATCH] Audit engine bug fix in sql_checksum_of_modified_row function -sql queries throw errors (this was not an issues until the queries were recently run through a function that died on errors). Fixed by running it through a function that skips errors. TODO: -sql_checksum_of_modified_row needs to be better optimized and also utilize binded values in order to be more successful on collecting hashes -hopefully can optimize sql_checksum_of_modified_row to not require a sql function that skips errors --- library/log.inc | 19 +++++++++++++++++-- library/sql.inc | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/library/log.inc b/library/log.inc index 51af05fdf..263c26c5d 100644 --- a/library/log.inc +++ b/library/log.inc @@ -108,6 +108,9 @@ function getEvents($params) * If this is not an insert/update query, return "". * If multiple rows were modified, return "". * If we're unable to determine the row modified, return "". + * + * TODO: May need to incorporate the binded stuff (still analyzing) + * */ function sql_checksum_of_modified_row($statement) { @@ -252,7 +255,9 @@ function sql_checksum_of_modified_row($statement) else { $sql = "select * from $table where id = $rid"; } - $results = sqlQueryNoLog($sql); + // When this function is working perfectly, can then shift to the + // sqlQueryNoLog() function. + $results = sqlQueryNoLogIgnoreError($sql); $column_values = ""; /* Concatenating the column values for the row inserted/updated */ if (is_array($results)) { @@ -261,6 +266,8 @@ function sql_checksum_of_modified_row($statement) } } // ViCarePlus: As per NIST standard, the encryption algorithm SHA1 is used + + //error_log("COLUMN_VALUES: ".$column_values,0); return sha1($column_values); } @@ -530,7 +537,15 @@ function auditSQLEvent($statement, $outcome, $binds=NULL) $success = 0; } if ($outcome !== FALSE) { - $checksum = sql_checksum_of_modified_row($comments); + // Should use the $statement rather than the processed + // variables, which includes the binded stuff. If do + // indeed need the binded values, then will need + // to include this as a separate array. + + //error_log("STATEMENT: ".$statement,0); + //error_log("BINDS: ".$processed_binds,0); + $checksum = sql_checksum_of_modified_row($statement); + //error_log("CHECKSUM: ".$checksum,0); } /* Determine the query type (select, update, insert, delete) */ $querytype = "select"; diff --git a/library/sql.inc b/library/sql.inc index df11b2069..1364665ae 100644 --- a/library/sql.inc +++ b/library/sql.inc @@ -317,6 +317,41 @@ function sqlQueryNoLog($statement, $binds=NULL) } /** +* Specialized sql query in OpenEMR that ignores sql errors, bypasses the +* auditing engine and only returns the first row of query results as an +* associative array. +* +* Function that will allow use of the adodb binding +* feature to prevent sql-injection. It is equivalent to the +* sqlQuery() function, EXCEPT it skips the +* audit engine and ignores erros. This function should only be used +* in very special situations. +* +* @param string $statement query +* @param array $binds binded variables array (optional) +* @return array +*/ +function sqlQueryNoLogIgnoreError($statement, $binds=NULL) +{ + if (is_array($binds)) { + $recordset = $GLOBALS['adodb']['db']->ExecuteNoLog( $statement, $binds ); + } + else { + $recordset = $GLOBALS['adodb']['db']->ExecuteNoLog( $statement ); + } + if ($recordset === FALSE) { + // ignore the error and return FALSE + return FALSE; + } + if ($recordset->EOF) + return FALSE; + $rez = $recordset->FetchRow(); + if ($rez == FALSE) + return FALSE; + return $rez; +} + +/** * Specialized sql query in OpenEMR that skips auditing. * * This function should only be used in very special situations. -- 2.11.4.GIT