2 // Copyright (C) 2011 Cassian LUP <cassi.lup@gmail.com>
4 // This program is free software; you can redistribute it and/or
5 // modify it under the terms of the GNU General Public License
6 // as published by the Free Software Foundation; either version 2
7 // of the License, or (at your option) any later version.
9 //starting the PHP session (also regenerating the session id to avoid session fixation attacks)
11 session_regenerate_id(true);
14 //landing page definition -- where to go if something goes wrong
15 $landingpage = "index.php?site=".$_SESSION['site_id'];
18 //checking whether the request comes from index.php
19 if (!isset($_SESSION['itsme'])) {
21 header('Location: '.$landingpage.'&w');
27 if (!isset($_POST['uname']) ||
empty($_POST['uname'])) {
29 header('Location: '.$landingpage.'&w&c');
32 if (!isset($_POST['code']) ||
empty($_POST['code'])) {
34 header('Location: '.$landingpage.'&w&c');
39 //SANITIZE ALL ESCAPES
40 $fake_register_globals=false;
42 //STOP FAKE REGISTER GLOBALS
43 $sanitize_all_escapes=true;
45 //Settings that will override globals.php
49 //Authentication (and language setting)
50 require_once('../interface/globals.php');
53 if (!empty($_POST['languageChoice'])) {
54 $_SESSION['language_choice'] = $_POST['languageChoice'];
56 else if (empty($_SESSION['language_choice'])) {
57 // just in case both are empty, then use english
58 $_SESSION['language_choice'] = 1;
61 // keep the current session language token
64 $authorizedPortal=false; //flag
66 $sql = "SELECT * FROM `patient_access_onsite` WHERE `portal_username` = ? AND `portal_pwd` = ?";
68 if ($auth = sqlQuery($sql, array($_POST['uname'],$_POST['code']) )) { // if query gets executed
69 if (empty($auth)) { // no results found
71 header('Location: '.$landingpage.'&w');
76 header('Location: '.$landingpage.'&w');
80 $sql = "SELECT * FROM `patient_data` WHERE `pid` = ?";
82 if ($userData = sqlQuery($sql, array($auth['pid']) )) { // if query gets executed
84 if (empty($userData)) {
85 // no records for this pid, so escape
87 header('Location: '.$landingpage.'&w');
91 if ($userData['allow_patient_portal'] != "YES") {
92 // Patient has not authorized portal, so escape
94 header('Location: '.$landingpage.'&w');
98 if ($auth['pid'] != $userData['pid']) {
99 // Not sure if this is even possible, but should escape if this happens
101 header('Location: '.$landingpage.'&w');
105 if ($auth['portal_pwd_status'] == 0) {
106 if ( isset($_SESSION['password_update']) && !(empty($_POST['code_new'])) && !(empty($_POST['code_new_confirm'])) && ($_POST['code_new'] == $_POST['code_new_confirm']) ) {
107 // Update the password and continue (patient is authorized)
108 sqlStatement("UPDATE `patient_access_onsite` SET `portal_username`=?,`portal_pwd`=?,portal_pwd_status=1 WHERE pid=?", array($_POST['uname'],$_POST['code_new'],$auth['pid']) );
109 $authorizedPortal = true;
112 // Need to enter a new password in the index.php script
113 $_SESSION['password_update'] = 1;
114 header('Location: '.$landingpage);
119 if ($auth['portal_pwd_status'] == 1) {
120 // continue (patient is authorized)
121 $authorizedPortal = true;
124 if ($authorizedPortal) {
125 // patient is authorized (prepare the session variables)
126 unset($_SESSION['password_update']); // just being safe
127 unset($_SESSION['itsme']); // just being safe
128 $_SESSION['pid'] = $auth['pid'];
129 $_SESSION['patient_portal_onsite'] = 1;
133 header('Location: '.$landingpage.'&w');
138 else { //problem with query
140 header('Location: '.$landingpage.'&w');
145 require_once('summary_pat_portal.php');