3 * Function to check and/or sanitize things for security such as
4 * directories names, file names, etc.
7 * @link http://www.open-emr.org
8 * @author Brady Miller <brady.g.miller@gmail.com>
9 * @author Roberto Vasquez <robertogagliotta@gmail.com>
10 * @author Shachar Zilbershlag <shaharzi@matrix.co.il>
11 * @copyright Copyright (c) 2012-2018 Brady Miller <brady.g.miller@gmail.com>
12 * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
16 // If the label contains any illegal characters, then the script will die.
17 function check_file_dir_name($label)
19 if (empty($label) ||
preg_match('/[^A-Za-z0-9_.-]/', $label)) {
20 error_log("ERROR: The following variable contains invalid characters:" . $label);
21 die(xlt("ERROR: The following variable contains invalid characters").": ". attr($label));
25 // Convert all illegal characters to _
26 function convert_safe_file_dir_name($label)
28 return preg_replace('/[^A-Za-z0-9_.-]/', '_', $label);
31 // Convert all non A-Z a-z 0-9 characters to _
32 function convert_very_strict_label($label)
34 return preg_replace('/[^A-Za-z0-9]/', '_', $label);
37 //Basename functionality for nonenglish languages (without this, basename function omits nonenglish characters).
38 function basename_international($path)
40 $parts = preg_split('~[\\\\/]~', $path);
41 foreach ($parts as $key => $value) {
42 $encoded = urlencode($value);
43 $parts[$key] = $encoded;
46 $encoded_path = implode("/", $parts);
47 $encoded_file_name = basename($encoded_path);
48 $decoded_file_name = urldecode($encoded_file_name);
50 return $decoded_file_name;
55 * This function detects a MIME type for a file and check if it in the white list of the allowed mime types.
56 * @param string $file - file location.
57 * @param array|null $whiteList - array of mime types that allowed to upload.
59 // Regarding the variable below. In the case of multiple file upload the isWhiteList function will run multiple
60 // times, therefore, storing the white list in the variable below to prevent multiple requests from database.
62 function isWhiteFile($file)
65 if (is_null($white_list)) {
66 $white_list = array();
67 $lres = sqlStatement("SELECT option_id FROM list_options WHERE list_id = 'files_white_list' AND activity = 1");
68 while ($lrow = sqlFetchArray($lres)) {
69 $white_list[] = $lrow['option_id'];
73 $mimetype = mime_content_type($file);
74 if (in_array($mimetype, $white_list)) {
77 $splitMimeType = explode('/', $mimetype);
78 $categoryType = $splitMimeType[0];
79 if (in_array($categoryType. '/*', $white_list)) {
87 // Sanitize a value to ensure it is a number.
88 function sanitizeNumber($number)
90 $clean_number = $number +
0 ;
92 if ($clean_number==$number) {
95 error_log('Custom validation error: Parameter contains non-numeric value (A numeric value expected)');