Support new security model in the formSubmit function
authorbradymiller <bradymiller@users.sourceforge.net>
Sun, 2 Dec 2012 01:23:56 +0000 (1 17:23 -0800)
committerbradymiller <bradymiller@users.sourceforge.net>
Thu, 13 Dec 2012 02:59:57 +0000 (12 18:59 -0800)
library/api.inc

index c175200..274ae41 100644 (file)
@@ -3,6 +3,7 @@
 include_once("../../globals.php");
 include_once("{$GLOBALS['srcdir']}/sql.inc");
 include_once("{$GLOBALS['srcdir']}/billing.inc");
+include_once("{$GLOBALS['srcdir']}/formdata.inc.php");
 
 $GLOBALS['form_exit_url'] = $GLOBALS['concurrent_layout'] ?
        "$rootdir/patient_file/encounter/encounter_top.php" :
@@ -29,6 +30,8 @@ function formFooter ()
        <?php
 }
 
+// This function will escape the $values when using the new security method (ie. $sanitize_all_escapes is TRUE).
+//   Otherwise, this function expects the $values to already be escaped(original and legacy behavior).
 function formSubmit ($tableName, $values, $id, $authorized = "0")
 {
        $sql = "insert into $tableName set pid = {$_SESSION['pid']},groupname='".$_SESSION['authProvider']."',user='".$_SESSION['authUser']."',authorized=$authorized,activity=1, date = NOW(),";
@@ -52,7 +55,14 @@ function formSubmit ($tableName, $values, $id, $authorized = "0")
                        }
                }
                else {
-                       $sql .= " $key = '$value',";
+                        if (isset($sanitize_all_escapes) && $sanitize_all_escapes) {
+                                // using new security method, so escape the key and values here
+                                $sql .= " " . add_escape_custom($key) . " = '" . add_escape_custom($value) . "',";
+                        }
+                        else {
+                                // original method (rely on code to escape values before using this function)
+                               $sql .= " $key = '$value',";
+                        }
                }
        $sql = substr($sql, 0, -1);
        return sqlInsert($sql);