fix sql-injection vulnerability in CDR engine
[openemr.git] / ccr / createCCR.php
blobfe75a741eb50249fb1ba20e65c6e6bd83aa6d3db
1 <?php
2 /**
3 * CCR Script.
5 * Copyright (C) 2010 Garden State Health Systems <http://www.gshsys.com/>
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
18 * @package OpenEMR
19 * @author Garden State Health Systems <http://www.gshsys.com/>
20 * @link http://www.open-emr.org
24 //SANITIZE ALL ESCAPES
25 $sanitize_all_escapes=true;
28 //STOP FAKE REGISTER GLOBALS
29 $fake_register_globals=false;
32 // check if using the patient portal
33 //(if so, then use the portal authorization)
34 if (isset($_GET['portal_auth'])) {
35 $landingpage = "../patients/index.php";
36 session_start();
37 if ( isset($_SESSION['pid']) && isset($_SESSION['patient_portal_onsite']) ) {
38 $pid = $_SESSION['pid'];
39 $ignoreAuth=true;
40 global $ignoreAuth;
42 else {
43 session_destroy();
44 header('Location: '.$landingpage.'?w');
45 exit;
49 require_once(dirname(__FILE__) . "/../interface/globals.php");
50 require_once(dirname(__FILE__) . "/../library/sql-ccr.inc");
51 require_once(dirname(__FILE__) . "/../library/classes/class.phpmailer.php");
52 require_once(dirname(__FILE__) . "/uuid.php");
53 require_once(dirname(__FILE__) . "/transmitCCD.php");
54 require_once(dirname(__FILE__) . "/../custom/code_types.inc.php");
56 function createCCR($action,$raw="no",$requested_by=""){
58 $authorID = getUuid();
59 $patientID = getUuid();
60 $sourceID = getUuid();
61 $oemrID = getUuid();
63 $result = getActorData();
64 while($res = sqlFetchArray($result[2])){
65 ${"labID{$res['id']}"} = getUuid();
68 $ccr = new DOMDocument('1.0','UTF-8');
69 $e_styleSheet = $ccr->createProcessingInstruction('xml-stylesheet', 'type="text/xsl" href="stylesheet/ccr.xsl"');
70 $ccr->appendChild($e_styleSheet);
72 $e_ccr = $ccr->createElementNS('urn:astm-org:CCR', 'ContinuityOfCareRecord');
73 $ccr->appendChild($e_ccr);
75 /////////////// Header
77 require_once("createCCRHeader.php");
78 $e_Body = $ccr->createElement('Body');
79 $e_ccr->appendChild($e_Body);
81 /////////////// Problems
83 $e_Problems = $ccr->createElement('Problems');
84 require_once("createCCRProblem.php");
85 $e_Body->appendChild($e_Problems);
87 /////////////// Alerts
89 $e_Alerts = $ccr->createElement('Alerts');
90 require_once("createCCRAlerts.php");
91 $e_Body->appendChild($e_Alerts);
93 ////////////////// Medication
95 $e_Medications = $ccr->createElement('Medications');
96 require_once("createCCRMedication.php");
97 $e_Body->appendChild($e_Medications);
99 ///////////////// Immunization
101 $e_Immunizations = $ccr->createElement('Immunizations');
102 require_once("createCCRImmunization.php");
103 $e_Body->appendChild($e_Immunizations);
106 /////////////////// Results
108 $e_Results = $ccr->createElement('Results');
109 require_once("createCCRResult.php");
110 $e_Body->appendChild($e_Results);
113 /////////////////// Procedures
115 //$e_Procedures = $ccr->createElement('Procedures');
116 //require_once("createCCRProcedure.php");
117 //$e_Body->appendChild($e_Procedures);
119 //////////////////// Footer
121 // $e_VitalSigns = $ccr->createElement('VitalSigns');
122 // $e_Body->appendChild($e_VitalSigns);
124 /////////////// Actors
126 $e_Actors = $ccr->createElement('Actors');
127 require_once("createCCRActor.php");
128 $e_ccr->appendChild($e_Actors);
130 if ($action=="generate"){
131 gnrtCCR($ccr,$raw,$requested_by);
134 if($action == "viewccd"){
135 viewCCD($ccr,$raw,$requested_by);
139 function gnrtCCR($ccr,$raw="no",$requested_by=""){
140 global $pid;
142 $ccr->preserveWhiteSpace = false;
143 $ccr->formatOutput = true;
145 if ($raw == "yes") {
146 // simply send the xml to a textarea (nice debugging tool)
147 echo "<textarea rows='35' cols='500' style='width:95%' readonly>";
148 echo $ccr->saveXml();
149 echo "</textarea>";
150 return;
153 else if ($raw == "hybrid") {
154 // send a file that contains a hybrid file of the raw xml and the xsl stylesheet
155 createHybridXML($ccr);
158 else if ($raw == "pure") {
159 // send a zip file that contains a separate xml data file and xsl stylesheet
160 if (! (class_exists('ZipArchive')) ) {
161 displayError(xl("ERROR: Missing ZipArchive PHP Module"));
162 return;
164 $tempDir = $GLOBALS['temporary_files_dir'];
165 $zipName = $tempDir . "/" . getReportFilename() . "-ccr.zip";
166 if (file_exists($zipName)) {
167 unlink($zipName);
169 $zip = new ZipArchive();
170 if (!($zip)) {
171 displayError(xl("ERROR: Unable to Create Zip Archive."));
172 return;
174 if ( $zip->open($zipName, ZIPARCHIVE::CREATE) ) {
175 $zip->addFile("stylesheet/ccr.xsl", "stylesheet/ccr.xsl");
176 $xmlName = $tempDir . "/" . getReportFilename() . "-ccr.xml";
177 if (file_exists($xmlName)) {
178 unlink($xmlName);
180 $ccr->save($xmlName);
181 $zip->addFile($xmlName, basename($xmlName) );
182 $zip->close();
183 header("Pragma: public");
184 header("Expires: 0");
185 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
186 header("Content-Type: application/force-download");
187 header("Content-Length: " . filesize($zipName));
188 header("Content-Disposition: attachment; filename=" . basename($zipName) . ";");
189 header("Content-Description: File Transfer");
190 readfile($zipName);
191 unlink($zipName);
192 unlink($xmlName);
193 exit(0);
195 else {
196 displayError(xl("ERROR: Unable to Create Zip Archive."));
197 return;
201 else if (substr($raw,0,4)=="send") {
202 $recipient = trim(stripslashes(substr($raw,5)));
203 $result=transmitCCD($ccr,$recipient,$requested_by,"CCR");
204 echo htmlspecialchars($result,ENT_NOQUOTES);
205 return;
208 else {
209 header("Content-type: application/xml");
210 echo $ccr->saveXml();
215 function viewCCD($ccr,$raw="no",$requested_by=""){
216 global $pid;
218 $ccr->preserveWhiteSpace = false;
219 $ccr->formatOutput = true;
221 $ccr->save(dirname(__FILE__) .'/generatedXml/ccrForCCD.xml');
223 $xmlDom = new DOMDocument();
224 $xmlDom->loadXML($ccr->saveXML());
226 $ccr_ccd = new DOMDocument();
227 $ccr_ccd->load(dirname(__FILE__) .'/ccd/ccr_ccd.xsl');
229 $xslt = new XSLTProcessor();
230 $xslt->importStylesheet($ccr_ccd);
232 $ccd = new DOMDocument();
233 $ccd->preserveWhiteSpace = false;
234 $ccd->formatOutput = true;
236 $ccd->loadXML($xslt->transformToXML($xmlDom));
238 $ccd->save(dirname(__FILE__) .'/generatedXml/ccdDebug.xml');
240 if ($raw == "yes") {
241 // simply send the xml to a textarea (nice debugging tool)
242 echo "<textarea rows='35' cols='500' style='width:95%' readonly>";
243 echo $ccd->saveXml();
244 echo "</textarea>";
245 return;
248 if ($raw == "pure") {
249 // send a zip file that contains a separate xml data file and xsl stylesheet
250 if (! (class_exists('ZipArchive')) ) {
251 displayError(xl("ERROR: Missing ZipArchive PHP Module"));
252 return;
254 $tempDir = $GLOBALS['temporary_files_dir'];
255 $zipName = $tempDir . "/" . getReportFilename() . "-ccd.zip";
256 if (file_exists($zipName)) {
257 unlink($zipName);
259 $zip = new ZipArchive();
260 if (!($zip)) {
261 displayError(xl("ERROR: Unable to Create Zip Archive."));
262 return;
264 if ( $zip->open($zipName, ZIPARCHIVE::CREATE) ) {
265 $zip->addFile("stylesheet/cda.xsl", "stylesheet/cda.xsl");
266 $xmlName = $tempDir . "/" . getReportFilename() . "-ccd.xml";
267 if (file_exists($xmlName)) {
268 unlink($xmlName);
270 $e_styleSheet = $ccd->createProcessingInstruction('xml-stylesheet',
271 'type="text/xsl" href="stylesheet/cda.xsl"');
272 $ccd->insertBefore($e_styleSheet,$ccd->firstChild);
273 $ccd->save($xmlName);
274 $zip->addFile($xmlName, basename($xmlName) );
275 $zip->close();
276 header("Pragma: public");
277 header("Expires: 0");
278 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
279 header("Content-Type: application/force-download");
280 header("Content-Length: " . filesize($zipName));
281 header("Content-Disposition: attachment; filename=" . basename($zipName) . ";");
282 header("Content-Description: File Transfer");
283 readfile($zipName);
284 unlink($zipName);
285 unlink($xmlName);
286 exit(0);
288 else {
289 displayError(xl("ERROR: Unable to Create Zip Archive."));
290 return;
294 if (substr($raw,0,4)=="send") {
295 $recipient = trim(stripslashes(substr($raw,5)));
296 $result=transmitCCD($ccd,$recipient,$requested_by);
297 echo htmlspecialchars($result,ENT_NOQUOTES);
298 return;
301 $ss = new DOMDocument();
302 $ss->load(dirname(__FILE__) ."/stylesheet/cda.xsl");
304 $xslt->importStyleSheet($ss);
306 $html = $xslt->transformToXML($ccd);
308 echo $html;
313 function sourceType($ccr, $uuid){
315 $e_Source = $ccr->createElement('Source');
317 $e_Actor = $ccr->createElement('Actor');
318 $e_Source->appendChild($e_Actor);
320 $e_ActorID = $ccr->createElement('ActorID',$uuid);
321 $e_Actor->appendChild($e_ActorID);
323 return $e_Source;
327 function displayError($message) {
328 echo '<script type="text/javascript">alert("' . addslashes($message) . '");</script>';
332 function createHybridXML($ccr) {
334 // save the raw xml
335 $main_xml = $ccr->saveXml();
337 // save the stylesheet
338 $main_stylesheet = file_get_contents('stylesheet/ccr.xsl');
340 // replace stylesheet link in raw xml file
341 $substitute_string = '<?xml-stylesheet type="text/xsl" href="#style1"?>
342 <!DOCTYPE ContinuityOfCareRecord [
343 <!ATTLIST xsl:stylesheet id ID #REQUIRED>
346 $replace_string = '<?xml-stylesheet type="text/xsl" href="stylesheet/ccr.xsl"?>';
347 $main_xml = str_replace($replace_string,$substitute_string,$main_xml);
349 // remove redundant xml declaration from stylesheet
350 $replace_string = '<?xml version="1.0" encoding="UTF-8"?>';
351 $main_stylesheet = str_replace($replace_string,'',$main_stylesheet);
353 // embed the stylesheet in the raw xml file
354 $replace_string ='<ContinuityOfCareRecord xmlns="urn:astm-org:CCR">';
355 $main_stylesheet = $replace_string.$main_stylesheet;
356 $main_xml = str_replace($replace_string,$main_stylesheet,$main_xml);
358 // insert style1 id into the stylesheet parameter
359 $substitute_string = 'xsl:stylesheet id="style1" exclude-result-prefixes';
360 $replace_string = 'xsl:stylesheet exclude-result-prefixes';
361 $main_xml = str_replace($replace_string,$substitute_string,$main_xml);
363 // prepare the filename to use
364 // LASTNAME-FIRSTNAME-PID-DATESTAMP-ccr.xml
365 $main_filename = getReportFilename()."-ccr.xml";
367 // send the output as a file to the user
368 header("Content-type: text/xml");
369 header("Content-Disposition: attachment; filename=" . $main_filename . "");
370 echo $main_xml;
373 if($_POST['ccrAction']) {
374 $raw=$_POST['raw'];
375 /* If transmit requested, fail fast if the recipient address fails basic validation */
376 if (substr($raw,0,4)=="send") {
377 $send_to = trim(stripslashes(substr($raw,5)));
378 if (!PHPMailer::ValidateAddress($send_to)) {
379 echo(htmlspecialchars( xl('Invalid recipient address. Please try again.'), ENT_QUOTES));
380 return;
382 createCCR($_POST['ccrAction'],$raw,$_POST['requested_by']);
383 } else {
384 createCCR($_POST['ccrAction'],$raw);