library/formdata.inc.php

   1 <?php
   2 /**
   3  * Functions to globally validate and prepare data for sql database insertion.
   4  *
   5  * Copyright (C) 2009 Rod Roark <rod@sunsetsystems.com>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 2
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Rod Roark <rod@sunsetsystems.com>
  20  * @author  Brady Miller <brady@sparmy.com>
  21  * @link    http://www.open-emr.org
  22  */
  23
  24 /**
  25  * Escape a parameter to prepare for a sql query.
  26  *
  27  * @param   string $s  Parameter to be escaped.
  28  * @return  string     Escaped parameter.
  29  */
  30 function add_escape_custom($s) {
  31       //prepare for safe mysql insertion
  32       $s = mysqli_real_escape_string($GLOBALS['dbh'], $s);
  33       return $s;
  34 }
  35
  36 /**
  37  * Escape a sql limit variable to prepare for a sql query.
  38  *
  39  * This will escape integers within the LIMIT ?, ? part of a sql query.
  40  * Note that there is a maximum value to these numbers, which is why
  41  * should only use for the LIMIT ? , ? part of the sql query and why
  42  * this is centralized to a function (in case need to upgrade this
  43  * function to support larger numbers in the future).
  44  *
  45  * @param   string $s  Limit variable to be escaped.
  46  * @return  string     Escaped limit variable.
  47  */
  48 function escape_limit($s) {
  49       //prepare for safe mysql insertion
  50       $s = (int)$s;
  51       return $s;
  52 }
  53
  54 /**
  55  * Escape/sanitize a sql sort order keyword variable to prepare for a sql query.
  56  *
  57  * This will escape/sanitize the sort order keyword. It is done by whitelisting
  58  * only certain keywords(asc,desc). If the keyword is illegal, then will default
  59  * to asc.
  60  *
  61  * @param   string $s  Sort order keyword variable to be escaped/sanitized.
  62  * @return  string     Escaped sort order keyword variable.
  63  */
  64 function escape_sort_order($s) {
  65       return escape_identifier(strtolower($s),array("asc","desc"));
  66 }
  67
  68 /**
  69  * Escape/sanitize a table sql column name for a sql query..
  70  *
  71  * This will escape/sanitize the sql column name for a sql query. It is done by whitelisting
  72  * all of the current sql column names in the openemr database from a table(s). Note that if
  73  * there is no match, then it will die() and a error message will be sent to the screen and
  74  * the error log. This function should not be used for escaping tables outside the openemr
  75  * database (should use escape_identifier() function below for that scenario)
  76  *
  77  * @param   string        $s       sql column name variable to be escaped/sanitized.
  78  * @param   array         $tables  The table(s) that the sql columns is from (in an array).
  79  * @param   boolean       $long    Use long form (ie. table.colname) vs short form (ie. colname).
  80  * @return  string                 Escaped table name variable.
  81  */
  82 function escape_sql_column_name($s,$tables,$long=FALSE) {
  83
  84       // If the $tables is empty, then process them all
  85       if (empty($tables)) {
  86             $res = sqlStatementNoLog("SHOW TABLES");
  87             $tables = array();
  88             while ($row=sqlFetchArray($res)) {
  89                 $keys_return = array_keys($row);
  90                 $tables[]=$row[$keys_return[0]];
  91             }
  92       }
  93
  94       // First need to escape the $tables
  95       $tables_escaped = array();
  96       foreach ($tables as $table) {
  97             $tables_escaped[] = escape_table_name($table);
  98       }
  99
 100       // Collect all the possible sql columns from the tables
 101       $columns_options = array();
 102       foreach ($tables_escaped as $table_escaped) {
 103             $res = sqlStatementNoLog("SHOW COLUMNS FROM ".$table_escaped);
 104             while ($row=sqlFetchArray($res)) {
 105                   if ($long) {
 106                         $columns_options[]=$table_escaped.".".$row['Field'];
 107                   }
 108                   else {
 109                         $columns_options[]=$row['Field'];
 110                   }
 111             }
 112       }
 113
 114       // Now can escape(via whitelisting) the sql column name
 115       return escape_identifier($s,$columns_options,TRUE);
 116 }
 117
 118 /**
 119  * Escape/sanitize a table name for a sql query. This function can also can be used to
 120  * process tables that contain any upper case letters.
 121  *
 122  * This will escape/sanitize the table name for a sql query. It is done by whitelisting
 123  * all of the current tables in the openemr database. The matching is not case sensitive,
 124  * although it will attempt a case sensitive match before proceeding to a case insensitive
 125  * match (see below escape_identifier() function for more details on this). Note that if
 126  * there is no match, then it will die() and a error message will be sent to the screen
 127  * and the error log. This function should not be used for escaping tables outside the
 128  * openemr database (should use escape_identifier() function below for that scenario).
 129  * Another use of this function is to deal with casing issues that arise in tables that
 130  * contain upper case letter(s) (these tables can be huge issues when transferring databases
 131  * from Windows to Linux and vice versa); this function can avoid this issues if run the
 132  * table name through this function (To avoid confusion, there is a wrapper function
 133  * entitled mitigateSqlTableUpperCase() that is used when just need to mitigate casing
 134  * for table names that contain any uppercase letters).
 135  * @param   string $s  sql table name variable to be escaped/sanitized.
 136  * @return  string     Escaped table name variable.
 137  */
 138 function escape_table_name($s) {
 139       $res = sqlStatementNoLog("SHOW TABLES");
 140       $tables_array = array();
 141       while ($row=sqlFetchArray($res)) {
 142             $keys_return = array_keys($row);
 143             $tables_array[]=$row[$keys_return[0]];
 144       }
 145
 146       // Now can escape(via whitelisting) the sql table name
 147       return escape_identifier($s,$tables_array,TRUE,FALSE);
 148 }
 149
 150 /**
 151  * Process tables that contain any upper case letters; this is simple a wrapper function of
 152  * escape_table_name() above when using it for the sole purpose of mitigating sql table names
 153  * that contain upper case letters.
 154  *
 155  * @param   string $s  sql table name variable to be escaped/sanitized.
 156  * @return  string     Escaped table name variable.
 157  */
 158 function mitigateSqlTableUpperCase($s) {
 159     return escape_table_name($s);
 160 }
 161
 162 /**
 163  * Escape/sanitize a sql identifier variable to prepare for a sql query.
 164  *
 165  * This will escape/sanitize a sql identifier. There are two options provided by this
 166  * function.
 167  * The first option is done by whitelisting ($whitelist_items is used) and in this case
 168  * only certain identifiers (listed in the $whitelist_items array) can be used; if
 169  * there is no match, then it will either default to the first item in the $whitelist_items
 170  * (if $die_if_no_match is FALSE) or it will die() and send an error message to the screen
 171  * and log (if $die_if_no_match is TRUE). Note there is an option to allow case insensitive
 172  * matching; if this option is chosen, it will first attempt a case sensitive match and if this
 173  * fails, then attempt a case insensitive match.
 174  * The second option is done by sanitizing ($whitelist_items is not used) and in this case
 175  * only US alphanumeric,'_' and '.' items are kept in the returned string. Note
 176  * the second option is still experimental as we figure out the ideal items to
 177  * filter out of the identifier. The first option is ideal if all the possible identifiers
 178  * are known, however we realize this may not always be the case.
 179  *
 180  * @param   string   $s                Sql identifier variable to be escaped/sanitized.
 181  * @param   array    $whitelist_items  Items used in whitelisting method (See function description for details of whitelisting method).
 182  * @param   boolean  $die_if_no_match  If there is no match in the whitelist, then die and echo an error to screen and log.
 183  * @param   boolean  $case_sens_match  Use case sensitive match (this is default).
 184  * @return  string                     Escaped/sanitized sql identifier variable.
 185  */
 186 function escape_identifier($s,$whitelist_items,$die_if_no_match=FALSE,$case_sens_match=TRUE) {
 187       if (is_array($whitelist_items)) {
 188             // Only return an item within the whitelist_items
 189             $ok = $whitelist_items;
 190             // First, search for case sensitive match
 191             $key = array_search($s,$ok);
 192             if ($key === FALSE) {
 193                 // No match
 194                 if (!$case_sens_match) {
 195                     // Attempt a case insensitive match
 196                     $ok_UPPER = array_map("strtoupper",$ok);
 197                     $key = array_search(strtoupper($s),$ok_UPPER);
 198                 }
 199                 if ($key === FALSE) {
 200                     // Still no match
 201                     if ($die_if_no_match) {
 202                         // No match and $die_if_no_match is set, so die() and send error messages to screen and log
 203                         error_Log("ERROR: OpenEMR SQL Escaping ERROR of the following string: ".$s,0);
 204                         die("<br><span style='color:red;font-weight:bold;'>".xlt("There was an OpenEMR SQL Escaping ERROR of the following string")." ".text($s)."</span><br>");
 205                     }
 206                     else {
 207                         // Return first token since no match
 208                         $key = 0;
 209                     }
 210                 }
 211             }
 212             return $ok[$key];
 213       }
 214       else {
 215             // Return an item that has been "cleaned" up
 216             // (this is currently experimental and goal is to avoid using this)
 217             return preg_replace('/[^a-zA-Z0-9_.]/','',$s);
 218       }
 219 }
 220
 221 /**
 222  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 223  * Function to manage POST, GET, and REQUEST variables.
 224  *
 225  * @param string $name name of the variable requested.
 226  * @param string $type 'P', 'G' for post or get data, otherwise uses request.
 227  * @param bool $istrim whether to use trim() on the data.
 228  * @return string variable requested, or empty string
 229  */
 230 function formData($name, $type='P', $isTrim=false) {
 231   if ($type == 'P')
 232     $s = isset($_POST[$name]) ? $_POST[$name] : '';
 233   else if ($type == 'G')
 234     $s = isset($_GET[$name]) ? $_GET[$name] : '';
 235   else
 236     $s = isset($_REQUEST[$name]) ? $_REQUEST[$name] : '';
 237
 238   return formDataCore($s,$isTrim);
 239 }
 240
 241 /**
 242  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 243  * Core function that will be called by formData.
 244  * Note it can also be called directly if preparing
 245  * normal variables (not GET,POST, or REQUEST)
 246  *
 247  * @param string $s
 248  * @param bool $istrim whether to use trim() on the data.
 249  * @return string
 250  */
 251 function formDataCore($s, $isTrim=false) {
 252       //trim if selected
 253       if ($isTrim) {$s = trim($s);}
 254       //strip escapes
 255       $s = strip_escape_custom($s);
 256       //add escapes for safe database insertion
 257       $s = add_escape_custom($s);
 258       return $s;
 259 }
 260
 261 /**
 262  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 263  * Will remove escapes if needed (ie magic quotes turned on) from string
 264  * Called by above formDataCore() function to prepare for database insertion.
 265  * Can also be called directly if simply need to remove escaped characters
 266  * from a string before processing.
 267  *
 268  * @param string $s
 269  * @return string
 270  */
 271 function strip_escape_custom($s) {
 272       //strip slashes if magic quotes turned on
 273       if (get_magic_quotes_gpc()) {$s = stripslashes($s);}
 274       return $s;
 275 }
 276
 277 /**
 278  * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 279  * This function is only being kept to support
 280  * previous functionality. If you want to trim
 281  * variables, this should be done using above
 282  * functions.
 283  *
 284  * @param string $s
 285  * @return string
 286  */
 287 function formTrim($s) {
 288   return formDataCore($s,true);
 289 }
 290
 291 /**
 292  * Wrapper function for get_magic_quotes_gpc()
 293  *
 294  * @return int
 295  */
 296 function check_magic_quotes() {
 297   return get_magic_quotes_gpc();
 298 }
 299 ?>