search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
change debian/ubuntu package version from 4.3.0 to 4.2.1
[openemr.git] / patients / get_patient_info.php
blob6bf75ea4eb18b05f56741f79608f018ecd91907b
1 <?php
2 // Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
3 //
4 // This program is free software; you can redistribute it and/or
5 // modify it under the terms of the GNU General Public License
6 // as published by the Free Software Foundation; either version 2
7 // of the License, or (at your option) any later version.
8
9 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
10 session_start();
11 session_regenerate_id(true);
12 //
13
14 //landing page definition -- where to go if something goes wrong
15 $landingpage = "index.php?site=".$_SESSION['site_id'];
16 //
17
18 //checking whether the request comes from index.php
19 if (!isset($_SESSION['itsme'])) {
20 session_destroy();
21 header('Location: '.$landingpage.'&w');
22 exit;
23 }
24 //
25
26 //some validation
27 if (!isset($_POST['uname']) || empty($_POST['uname'])) {
28 session_destroy();
29 header('Location: '.$landingpage.'&w&c');
30 exit;
31 }
32 if (!isset($_POST['pass']) || empty($_POST['pass'])) {
33 session_destroy();
34 header('Location: '.$landingpage.'&w&c');
35 exit;
36 }
37 //
38
39 //SANITIZE ALL ESCAPES
40 $fake_register_globals=false;
41
42 //STOP FAKE REGISTER GLOBALS
43 $sanitize_all_escapes=true;
44
45 //Settings that will override globals.php
46 $ignoreAuth = 1;
47 //
48
49 //Authentication (and language setting)
50 require_once('../interface/globals.php');
51 require_once("$srcdir/authentication/common_operations.php");
52 $password_update=isset($_SESSION['password_update']);
53 unset($_SESSION['password_update']);
54 $plain_code= $_POST['pass'];
55 // set the language
56 if (!empty($_POST['languageChoice'])) {
57 $_SESSION['language_choice'] = (int)$_POST['languageChoice'];
58 }
59 else if (empty($_SESSION['language_choice'])) {
60 // just in case both are empty, then use english
61 $_SESSION['language_choice'] = 1;
62 }
63 else {
64 // keep the current session language token
65 }
66 $_SESSION['language_direction'] = getLanguageDir( $_SESSION['language_choice'] );
67
68 $authorizedPortal=false; //flag
69 DEFINE("TBL_PAT_ACC_ON","patient_access_onsite");
70 DEFINE("COL_PID","pid");
71 DEFINE("COL_POR_PWD","portal_pwd");
72 DEFINE("COL_POR_USER","portal_username");
73 DEFINE("COL_POR_SALT","portal_salt");
74 DEFINE("COL_POR_PWD_STAT","portal_pwd_status");
75 $sql= "SELECT ".implode(",",array(COL_ID,COL_PID,COL_POR_PWD,COL_POR_SALT,COL_POR_PWD_STAT))
76 ." FROM ".TBL_PAT_ACC_ON
77 ." WHERE ".COL_POR_USER."=?";
78 $auth = privQuery($sql, array($_POST['uname']));
79 if($auth===false)
80 {
81 session_destroy();
82 header('Location: '.$landingpage.'&w');
83 exit;
84 }
85 if(empty($auth[COL_POR_SALT]))
86 {
87 if(SHA1($plain_code)!=$auth[COL_POR_PWD])
88 {
89 session_destroy();
90 header('Location: '.$landingpage.'&w');
91 exit;
92 }
93 $new_salt=oemr_password_salt();
94 $new_hash=oemr_password_hash($plain_code,$new_salt);
95 $sqlUpdatePwd= " UPDATE " . TBL_PAT_ACC_ON
96 ." SET " .COL_POR_PWD."=?, "
97 . COL_POR_SALT . "=? "
98 ." WHERE ".COL_ID."=?";
99 privStatement($sqlUpdatePwd,array($new_hash,$new_salt,$auth[COL_ID]));
100 }
101 else {
102 if(oemr_password_hash($plain_code,$auth[COL_POR_SALT])!=$auth[COL_POR_PWD])
103 {
104 session_destroy();
105 header('Location: '.$landingpage.'&w');
106 exit;
107
108 }
109
110 }
111 $_SESSION['portal_username']=$_POST['uname'];
112 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
113
114 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
115
116 if (empty($userData)) {
117 // no records for this pid, so escape
118 session_destroy();
119 header('Location: '.$landingpage.'&w');
120 exit;
121 }
122
123 if ($userData['allow_patient_portal'] != "YES") {
124 // Patient has not authorized portal, so escape
125 session_destroy();
126 header('Location: '.$landingpage.'&w');
127 exit;
128 }
129
130 if ($auth['pid'] != $userData['pid']) {
131 // Not sure if this is even possible, but should escape if this happens
132 session_destroy();
133 header('Location: '.$landingpage.'&w');
134 exit;
135 }
136
137 if ( $password_update)
138 {
139 $code_new=$_POST['pass_new'];
140 $code_new_confirm=$_POST['pass_new_confirm'];
141 if(!(empty($_POST['pass_new'])) && !(empty($_POST['pass_new_confirm'])) && ($code_new == $code_new_confirm)) {
142 $new_salt=oemr_password_salt();
143 $new_hash=oemr_password_hash($code_new,$new_salt);
144
145 // Update the password and continue (patient is authorized)
146 privStatement("UPDATE ".TBL_PAT_ACC_ON
147 ." SET ".COL_POR_PWD."=?,".COL_POR_SALT."=?,".COL_POR_PWD_STAT."=1 WHERE id=?", array($new_hash,$new_salt,$auth['id']) );
148 $authorizedPortal = true;
149 }
150 }
151 if ($auth['portal_pwd_status'] == 0) {
152 if(!$authorizedPortal) {
153 // Need to enter a new password in the index.php script
154 $_SESSION['password_update'] = 1;
155 header('Location: '.$landingpage);
156 exit;
157 }
158 }
159
160 if ($auth['portal_pwd_status'] == 1) {
161 // continue (patient is authorized)
162 $authorizedPortal = true;
163 }
164
165 if ($authorizedPortal) {
166 // patient is authorized (prepare the session variables)
167 unset($_SESSION['password_update']); // just being safe
168 unset($_SESSION['itsme']); // just being safe
169 $_SESSION['pid'] = $auth['pid'];
170 $_SESSION['patient_portal_onsite'] = 1;
171 }
172 else {
173 session_destroy();
174 header('Location: '.$landingpage.'&w');
175 exit;
176 }
177
178 }
179 else { //problem with query
180 session_destroy();
181 header('Location: '.$landingpage.'&w');
182 exit;
183 }
184 //
185
186 require_once('summary_pat_portal.php');
187
188 ?>
Mirror of official OpenEMR Sourceforge repository