2 // Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
4 // This program is free software; you can redistribute it and/or
5 // modify it under the terms of the GNU General Public License
6 // as published by the Free Software Foundation; either version 2
7 // of the License, or (at your option) any later version.
9 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
11 session_regenerate_id(true);
14 //landing page definition -- where to go if something goes wrong
15 $landingpage = "index.php?site=".$_SESSION['site_id'];
18 //checking whether the request comes from index.php
19 if (!isset($_SESSION['itsme'])) {
21 header('Location: '.$landingpage.'&w');
27 if (!isset($_POST['uname']) ||
empty($_POST['uname'])) {
29 header('Location: '.$landingpage.'&w&c');
32 if (!isset($_POST['pass']) ||
empty($_POST['pass'])) {
34 header('Location: '.$landingpage.'&w&c');
39 require_once("../library/translation.inc.php");
42 if (!empty($_POST['languageChoice'])) {
43 $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
45 else if (empty($_SESSION['language_choice'])) {
46 // just in case both are empty, then use english
47 $_SESSION['language_choice'] = 1;
50 // keep the current session language token
52 $_SESSION['language_direction'] = getLanguageDir( $_SESSION['language_choice'] );
56 //SANITIZE ALL ESCAPES
57 $fake_register_globals=false;
59 //STOP FAKE REGISTER GLOBALS
60 $sanitize_all_escapes=true;
62 //Settings that will override globals.php
66 //Authentication (and language setting)
67 require_once('../interface/globals.php');
68 require_once("$srcdir/authentication/common_operations.php");
69 $password_update=isset($_SESSION['password_update']);
70 unset($_SESSION['password_update']);
71 $plain_code= $_POST['pass'];
74 $authorizedPortal=false; //flag
75 DEFINE("TBL_PAT_ACC_ON","patient_access_onsite");
76 DEFINE("COL_PID","pid");
77 DEFINE("COL_POR_PWD","portal_pwd");
78 DEFINE("COL_POR_USER","portal_username");
79 DEFINE("COL_POR_SALT","portal_salt");
80 DEFINE("COL_POR_PWD_STAT","portal_pwd_status");
81 $sql= "SELECT ".implode(",",array(COL_ID
,COL_PID
,COL_POR_PWD
,COL_POR_SALT
,COL_POR_PWD_STAT
))
82 ." FROM ".TBL_PAT_ACC_ON
83 ." WHERE ".COL_POR_USER
."=?";
84 $auth = privQuery($sql, array($_POST['uname']));
88 header('Location: '.$landingpage.'&w');
91 if(empty($auth[COL_POR_SALT
]))
93 if(SHA1($plain_code)!=$auth[COL_POR_PWD
])
96 header('Location: '.$landingpage.'&w');
99 $new_salt=oemr_password_salt();
100 $new_hash=oemr_password_hash($plain_code,$new_salt);
101 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
102 ." SET " .COL_POR_PWD
."=?, "
103 . COL_POR_SALT
. "=? "
104 ." WHERE ".COL_ID
."=?";
105 privStatement($sqlUpdatePwd,array($new_hash,$new_salt,$auth[COL_ID
]));
108 if(oemr_password_hash($plain_code,$auth[COL_POR_SALT
])!=$auth[COL_POR_PWD
])
111 header('Location: '.$landingpage.'&w');
117 $_SESSION['portal_username']=$_POST['uname'];
118 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
120 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
122 if (empty($userData)) {
123 // no records for this pid, so escape
125 header('Location: '.$landingpage.'&w');
129 if ($userData['allow_patient_portal'] != "YES") {
130 // Patient has not authorized portal, so escape
132 header('Location: '.$landingpage.'&w');
136 if ($auth['pid'] != $userData['pid']) {
137 // Not sure if this is even possible, but should escape if this happens
139 header('Location: '.$landingpage.'&w');
143 if ( $password_update)
145 $code_new=$_POST['pass_new'];
146 $code_new_confirm=$_POST['pass_new_confirm'];
147 if(!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
148 $new_salt=oemr_password_salt();
149 $new_hash=oemr_password_hash($code_new,$new_salt);
151 // Update the password and continue (patient is authorized)
152 privStatement("UPDATE ".TBL_PAT_ACC_ON
153 ." SET ".COL_POR_PWD
."=?,".COL_POR_SALT
."=?,".COL_POR_PWD_STAT
."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']) );
154 $authorizedPortal = true;
157 if ($auth['portal_pwd_status'] == 0) {
158 if(!$authorizedPortal) {
159 // Need to enter a new password in the index.php script
160 $_SESSION['password_update'] = 1;
161 header('Location: '.$landingpage);
166 if ($auth['portal_pwd_status'] == 1) {
167 // continue (patient is authorized)
168 $authorizedPortal = true;
171 if ($authorizedPortal) {
172 // patient is authorized (prepare the session variables)
173 unset($_SESSION['password_update']); // just being safe
174 unset($_SESSION['itsme']); // just being safe
175 $_SESSION['pid'] = $auth['pid'];
176 $_SESSION['patient_portal_onsite'] = 1;
180 header('Location: '.$landingpage.'&w');
185 else { //problem with query
187 header('Location: '.$landingpage.'&w');
191 require_once('summary_pat_portal.php');