From eff71fbbc49fc26249cd587e59994f265802d140 Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Tue, 19 Feb 2013 12:37:00 -0800
Subject: [PATCH] Security fixes.

---
 interface/main/messages/messages.php | 20 ++++++++++----------
 library/pnotes.inc                   | 24 ++++++++++++------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/interface/main/messages/messages.php b/interface/main/messages/messages.php
index 335b5b139..0d4919076 100644
--- a/interface/main/messages/messages.php
+++ b/interface/main/messages/messages.php
@@ -133,7 +133,7 @@ switch($task) {
           else {
             if($noteid && $assigned_to == '-patient-'){
               $row = getPnoteById($noteid);
-              if (! $row) die("getPnoteById() did not find id '$noteid'");
+              if (! $row) die("getPnoteById() did not find id '".text($noteid)."'");
               $pres = sqlQuery("SELECT lname, fname " .
                 "FROM patient_data WHERE pid = ?", array($reply_to) );
               $patientname = $pres['lname'] . ", " . $pres['fname'];
@@ -192,7 +192,7 @@ switch($task) {
 if($task == "addnew" or $task == "edit") {
  // Display the Messages page layout.
 echo "
-<form name=new_note id=new_note action=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&$activity_string_html\" method=post>
+<form name=new_note id=new_note action=\"messages.php?showall=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($begin)."&$activity_string_html\" method=post>
 <input type=hidden name=noteid id=noteid value=".htmlspecialchars( $noteid, ENT_QUOTES).">
 <input type=hidden name=task id=task value=add>";
 ?>
@@ -390,13 +390,13 @@ else {
     $begin = isset($_REQUEST['begin']) ? $_REQUEST['begin'] : 0;
 
     for($i = 0; $i < count($sort); $i++) {
-        $sortlink[$i] = "<a href=\"messages.php?show_all=$showall&sortby=$sort[$i]&sortorder=asc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>";
+        $sortlink[$i] = "<a href=\"messages.php?show_all=".attr($showall)."&sortby=".attr($sort[$i])."&sortorder=asc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>";
     }
     for($i = 0; $i < count($sort); $i++) {
         if($sortby == $sort[$i]) {
             switch($sortorder) {
-                case "asc"      : $sortlink[$i] = "<a href=\"messages.php?show_all=$showall&sortby=$sortby&sortorder=desc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortup.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>"; break;
-                case "desc"     : $sortlink[$i] = "<a href=\"messages.php?show_all=$showall&sortby=$sortby&sortorder=asc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Down'), ENT_QUOTES)."\"></a>"; break;
+                case "asc"      : $sortlink[$i] = "<a href=\"messages.php?show_all=".attr($showall)."&sortby=".attr($sortby)."&sortorder=desc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortup.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Up'), ENT_QUOTES)."\"></a>"; break;
+                case "desc"     : $sortlink[$i] = "<a href=\"messages.php?show_all=".attr($showall)."&sortby=".attr($sortby)."&sortorder=asc&$activity_string_html\" onclick=\"top.restoreSession()\"><img src=\"../../../images/sortdown.gif\" border=0 alt=\"".htmlspecialchars( xl('Sort Down'), ENT_QUOTES)."\"></a>"; break;
             } break;
         }
     }
@@ -417,14 +417,14 @@ else {
         $start = 0;
     }
     if($prev >= 0) {
-        $prevlink = "<a href=\"messages.php?show_all=$showall&sortby=$sortby&sortorder=$sortorder&begin=$prev&$activity_string_html\" onclick=\"top.restoreSession()\"><<</a>";
+        $prevlink = "<a href=\"messages.php?show_all=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($prev)."&$activity_string_html\" onclick=\"top.restoreSession()\"><<</a>";
     }
     else {
         $prevlink = "<<";
     }
 
     if($next < $total) {
-        $nextlink = "<a href=\"messages.php?show_all=$showall&sortby=$sortby&sortorder=$sortorder&begin=$next&$activity_string_html\" onclick=\"top.restoreSession()\">>></a>";
+        $nextlink = "<a href=\"messages.php?show_all=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($next)."&$activity_string_html\" onclick=\"top.restoreSession()\">>></a>";
     }
     else {
         $nextlink = ">>";
@@ -432,7 +432,7 @@ else {
     // Display the Messages table header.
     echo "
     <table width=100%><tr><td><table border=0 cellpadding=1 cellspacing=0 width=90%  style=\"border-left: 1px #000000 solid; border-right: 1px #000000 solid; border-top: 1px #000000 solid;\">
-    <form name=MessageList action=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&$activity_string_html\" method=post>
+    <form name=MessageList action=\"messages.php?showall=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($begin)."&$activity_string_html\" method=post>
     <input type=hidden name=task value=delete>
         <tr height=\"24\" style=\"background:lightgrey\">
             <td align=\"center\" width=\"25\" style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><input type=checkbox id=\"checkAll\" onclick=\"selectAll()\"></td>
@@ -472,7 +472,7 @@ else {
 	          htmlspecialchars( $myrow['id'], ENT_QUOTES) . "\" onclick=\"if(this.checked==true){ selectRow('row$count'); }else{ deselectRow('row$count'); }\"></td>
                 <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
 	          htmlspecialchars( $name, ENT_NOQUOTES) . "</td><td width=5></td></tr></table></td>
-                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=edit&noteid=" .
+                <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\"><a href=\"messages.php?showall=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($begin)."&task=edit&noteid=" .
 	          htmlspecialchars( $myrow['id'], ENT_QUOTES) . "&$activity_string_html\" onclick=\"top.restoreSession()\">" .
 		  htmlspecialchars( $patient, ENT_NOQUOTES) . "</a></td><td width=5></td></tr></table></td>
                 <td style=\"border-bottom: 1px #000000 solid; border-right: 1px #000000 solid;\"><table cellspacing=0 cellpadding=0 width=100%><tr><td width=5></td><td class=\"text\">" .
@@ -488,7 +488,7 @@ else {
     </form></table>
     <table border=0 cellpadding=5 cellspacing=0 width=90%>
         <tr>
-            <td class=\"text\"><a href=\"messages.php?showall=$showall&sortby=$sortby&sortorder=$sortorder&begin=$begin&task=addnew&$activity_string_html\" onclick=\"top.restoreSession()\">" .
+            <td class=\"text\"><a href=\"messages.php?showall=".attr($showall)."&sortby=".attr($sortby)."&sortorder=".attr($sortorder)."&begin=".attr($begin)."&task=addnew&$activity_string_html\" onclick=\"top.restoreSession()\">" .
               htmlspecialchars( xl('Add New'), ENT_NOQUOTES) . "</a> &nbsp; <a href=\"javascript:confirmDeleteSelected()\" onclick=\"top.restoreSession()\">" .
               htmlspecialchars( xl('Delete'), ENT_NOQUOTES) . "</a></td>
             <td align=right class=\"text\">$prevlink &nbsp; $end of $total &nbsp; $nextlink</td>
diff --git a/library/pnotes.inc b/library/pnotes.inc
index 6fa6fb83d..5b6e265c6 100644
--- a/library/pnotes.inc
+++ b/library/pnotes.inc
@@ -126,10 +126,10 @@ $sqlParameterArray = array();
     array_push($sqlParameterArray, $username);
   }
   if ($status)
-    $sql .= " AND message_status IN ('".str_replace(",", "','", $status)."')";
+    $sql .= " AND message_status IN ('".str_replace(",", "','", add_escape_custom($status) )."')";
   $sql .= " ORDER BY date DESC";
   if($limit != "all")
-    $sql .= " LIMIT $start, $limit";
+    $sql .= " LIMIT ".add_escape_custom($start).", ".add_escape_custom($limit);
 
   $res = sqlStatement($sql, $sqlParameterArray);
 
@@ -171,10 +171,10 @@ $sqlParameterArray = array();
     array_push($sqlParameterArray, $username);
   }
   if ($status)
-    $sql .= " AND message_status IN ('".str_replace(",", "','", $status)."')";
+    $sql .= " AND message_status IN ('".str_replace(",", "','", add_escape_custom($status) )."')";
   $sql .= " ORDER BY date DESC";
   if($limit != "all")
-    $sql .= " LIMIT $start, $limit";
+    $sql .= " LIMIT ".add_escape_custom($start).", ".$limit;
 
   $res = sqlStatement($sql, $sqlParameterArray);
 
@@ -187,7 +187,7 @@ $sqlParameterArray = array();
 function getPatientNotes($pid = '', $limit = '', $offset = 0, $search = '')
 {
   if($limit){
-    $limit = "LIMIT $offset, $limit";
+    $limit = "LIMIT ".add_escape_custom($offset).", ".add_escape_custom($limit);
   }
   $sql = "
     SELECT
@@ -223,7 +223,7 @@ function getPatientNotes($pid = '', $limit = '', $offset = 0, $search = '')
 function getPatientNotifications($pid = '', $limit = '', $offset = 0, $search = '')
 {
   if($limit){
-    $limit = "LIMIT $offset, $limit";
+    $limit = "LIMIT ".add_escape_custom($offset).", ".add_escape_custom($limit);
   }
   $sql = "
     SELECT
@@ -259,7 +259,7 @@ function getPatientNotifications($pid = '', $limit = '', $offset = 0, $search =
 function getPatientSentNotes($pid = '', $limit = '', $offset = 0, $search = '')
 {
   if($limit){
-    $limit = "LIMIT $offset, $limit";
+    $limit = "LIMIT ".add_escape_custom($offset).", ".add_escape_custom($limit);
   }
   $sql = "
     SELECT
@@ -303,7 +303,7 @@ function getPnotesByPid ($pid, $activity = "1", $cols = "*", $limit=10, $start=0
     "AND activity = '1' ".
     " AND message_status != 'Done' ".
     " AND deleted != 1 ".
-    " ORDER BY date DESC LIMIT $start,$limit", array($pid) );
+    " ORDER BY date DESC LIMIT ".add_escape_custom($start).",".add_escape_custom($limit), array($pid) );
  }
  else if ($activity == '0') {
   // return only inactive
@@ -311,13 +311,13 @@ function getPnotesByPid ($pid, $activity = "1", $cols = "*", $limit=10, $start=0
     "AND (activity = '0' ".
     " OR message_status = 'Done') ".
     " AND deleted != 1 ".
-    " ORDER BY date DESC LIMIT $start,$limit", array($pid) );
+    " ORDER BY date DESC LIMIT ".add_escape_custom($start).",".add_escape_custom($limit), array($pid) );
  }
  else { // $activity == "all"
   // return both active and inactive
   $res = sqlStatement("SELECT $cols FROM pnotes WHERE pid LIKE ? " .
     " AND deleted != 1 ".
-    " ORDER BY date DESC LIMIT $start,$limit", array($pid) );
+    " ORDER BY date DESC LIMIT ".add_escape_custom($start).",".add_escape_custom($limit), array($pid) );
  }
   for ($iter = 0; $row = sqlFetchArray($res); $iter++)
     $all[$iter] = $row;
@@ -377,7 +377,7 @@ function addMailboxPnote($pid, $newtext, $authorized = '0', $activity = '1',
 function updatePnote($id, $newtext, $title, $assigned_to, $message_status = "")
 {
   $row = getPnoteById($id);
-  if (! $row) die("updatePnote() did not find id '$id'");
+  if (! $row) die("updatePnote() did not find id '".text($id)."'");
   $activity = $assigned_to ? '1' : '0';
 
   // make inactive if set as Done
@@ -421,7 +421,7 @@ function updatePnoteMessageStatus($id, $message_status)
 function updatePnotePatient($id, $patient_id)
 {
   $row = getPnoteById($id);
-  if (! $row) die("updatePnotePatient() did not find id '$id'");
+  if (! $row) die("updatePnotePatient() did not find id '".text($id)."'");
   $activity = $assigned_to ? '1' : '0';
 
   $pid = $row['pid'];
-- 
2.11.4.GIT