database performance improvements (#1305)
[openemr.git] / patients / get_patient_info.php
blobe4aacfca1926a20269e33a9a91c8db17291c56b1
1 <?php
2 /**
3 * Generated DocBlock
5 * @package OpenEMR
6 * @link http://www.open-emr.org
7 * @author Oleg Sverdlov <olegsv@matrix.co.il>
8 * @author Cassian LUP <cassi.lup@gmail.com>
9 * @author Robert Down <robertdown@live.com>
10 * @author Wakie87 <scott@npclinics.com.au>
11 * @author amielboim <amielboim@gmail.com>
12 * @author Brady Miller <brady.g.miller@gmail.com>
13 * @author Kevin Yeh <kevinyeh@alum.mit.edu>
14 * @copyright Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
15 * @copyright Copyright (c) 2016 Oleg Sverdlov <olegsv@matrix.co.il>
16 * @copyright Copyright (c) 2011 Cassian LUP <cassi.lup@gmail.com>
17 * @copyright Copyright (c) 2017 Robert Down <robertdown@live.com>
18 * @copyright Copyright (c) 2016 Wakie87 <scott@npclinics.com.au>
19 * @copyright Copyright (c) 2016 amielboim <amielboim@gmail.com>
20 * @copyright Copyright (c) 2017 Brady Miller <brady.g.miller@gmail.com>
21 * @copyright Copyright (c) 2013 Kevin Yeh <kevinyeh@alum.mit.edu>
22 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
25 <?php
28 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
29 session_start();
30 session_regenerate_id(true);
33 //landing page definition -- where to go if something goes wrong
34 $landingpage = "index.php?site=".$_SESSION['site_id'];
37 //checking whether the request comes from index.php
38 if (!isset($_SESSION['itsme'])) {
39 session_destroy();
40 header('Location: '.$landingpage.'&w');
41 exit;
46 //some validation
47 if (!isset($_POST['uname']) || empty($_POST['uname'])) {
48 session_destroy();
49 header('Location: '.$landingpage.'&w&c');
50 exit;
53 if (!isset($_POST['pass']) || empty($_POST['pass'])) {
54 session_destroy();
55 header('Location: '.$landingpage.'&w&c');
56 exit;
61 // set the language
62 if (!empty($_POST['languageChoice'])) {
63 $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
64 } else if (empty($_SESSION['language_choice'])) {
65 // just in case both are empty, then use english
66 $_SESSION['language_choice'] = 1;
67 } else {
68 // keep the current session language token
71 //Settings that will override globals.php
72 $ignoreAuth = 1;
75 //Authentication
76 require_once('../interface/globals.php');
77 require_once("$srcdir/authentication/common_operations.php");
78 $password_update=isset($_SESSION['password_update']);
79 unset($_SESSION['password_update']);
80 $plain_code= $_POST['pass'];
83 $authorizedPortal=false; //flag
84 DEFINE("TBL_PAT_ACC_ON", "patient_access_onsite");
85 DEFINE("COL_PID", "pid");
86 DEFINE("COL_POR_PWD", "portal_pwd");
87 DEFINE("COL_POR_USER", "portal_username");
88 DEFINE("COL_POR_SALT", "portal_salt");
89 DEFINE("COL_POR_PWD_STAT", "portal_pwd_status");
90 $sql= "SELECT ".implode(",", array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
91 ." FROM ".TBL_PAT_ACC_ON
92 ." WHERE ".COL_POR_USER."=?";
93 $auth = privQuery($sql, array($_POST['uname']));
94 if ($auth===false) {
95 session_destroy();
96 header('Location: '.$landingpage.'&w');
97 exit;
100 if (empty($auth[COL_POR_SALT])) {
101 if (SHA1($plain_code)!=$auth[COL_POR_PWD]) {
102 session_destroy();
103 header('Location: '.$landingpage.'&w');
104 exit;
107 $new_salt=oemr_password_salt();
108 $new_hash=oemr_password_hash($plain_code, $new_salt);
109 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
110 ." SET " .COL_POR_PWD."=?, "
111 . COL_POR_SALT . "=? "
112 ." WHERE ".COL_ID."=?";
113 privStatement($sqlUpdatePwd, array($new_hash,$new_salt,$auth[COL_ID]));
114 } else {
115 if (oemr_password_hash($plain_code, $auth[COL_POR_SALT])!=$auth[COL_POR_PWD]) {
116 session_destroy();
117 header('Location: '.$landingpage.'&w');
118 exit;
122 $_SESSION['portal_username']=$_POST['uname'];
123 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
125 if ($userData = sqlQuery($sql, array($auth['pid']))) { // if query gets executed
127 if (empty($userData)) {
128 // no records for this pid, so escape
129 session_destroy();
130 header('Location: '.$landingpage.'&w');
131 exit;
134 if ($userData['allow_patient_portal'] != "YES") {
135 // Patient has not authorized portal, so escape
136 session_destroy();
137 header('Location: '.$landingpage.'&w');
138 exit;
141 if ($auth['pid'] != $userData['pid']) {
142 // Not sure if this is even possible, but should escape if this happens
143 session_destroy();
144 header('Location: '.$landingpage.'&w');
145 exit;
148 if ($password_update) {
149 $code_new=$_POST['pass_new'];
150 $code_new_confirm=$_POST['pass_new_confirm'];
151 if (!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
152 $new_salt=oemr_password_salt();
153 $new_hash=oemr_password_hash($code_new, $new_salt);
155 // Update the password and continue (patient is authorized)
156 privStatement("UPDATE ".TBL_PAT_ACC_ON
157 ." SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']));
158 $authorizedPortal = true;
162 if ($auth['portal_pwd_status'] == 0) {
163 if (!$authorizedPortal) {
164 // Need to enter a new password in the index.php script
165 $_SESSION['password_update'] = 1;
166 header('Location: '.$landingpage);
167 exit;
171 if ($auth['portal_pwd_status'] == 1) {
172 // continue (patient is authorized)
173 $authorizedPortal = true;
176 if ($authorizedPortal) {
177 // patient is authorized (prepare the session variables)
178 unset($_SESSION['password_update']); // just being safe
179 unset($_SESSION['itsme']); // just being safe
180 $_SESSION['pid'] = $auth['pid'];
181 $_SESSION['patient_portal_onsite'] = 1;
182 } else {
183 session_destroy();
184 header('Location: '.$landingpage.'&w');
185 exit;
187 } else { //problem with query
188 session_destroy();
189 header('Location: '.$landingpage.'&w');
190 exit;
193 require_once('summary_pat_portal.php');