From 9e5d4a99c0270c131b81d146c625713ddc37cd7b Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Sun, 29 Sep 2019 23:54:37 -0700 Subject: [PATCH] more bug fixes (#2699) --- library/clinical_rules.php | 38 +++++++++++++++++++------------------- library/patient.inc | 28 +++++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 20 deletions(-) diff --git a/library/clinical_rules.php b/library/clinical_rules.php index 8b612610b..7222d742c 100644 --- a/library/clinical_rules.php +++ b/library/clinical_rules.php @@ -11,7 +11,7 @@ * @author Brady Miller * @author Medical Information Integration, LLC * @author Ensofttek, LLC - * @copyright Copyright (c) 2010-2018 Brady Miller + * @copyright Copyright (c) 2010-2019 Brady Miller * @copyright Copyright (c) 2011 Medical Information Integration, LLC * @copyright Copyright (c) 2011 Ensofttek, LLC * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 @@ -1550,7 +1550,7 @@ function set_rule_activity_patient($rule, $type, $setting, $patient_id) } // Update patient specific row - $query = "UPDATE `clinical_rules` SET `" . add_escape_custom($type) . "_flag`= ?, `access_control` = ? WHERE id = ? AND pid = ?"; + $query = "UPDATE `clinical_rules` SET `" . escape_sql_column_name($type."_flag", ["clinical_rules"]) . "`= ?, `access_control` = ? WHERE id = ? AND pid = ?"; sqlStatementCdrEngine($query, array($setting,$patient_rule_original['access_control'],$rule,$patient_id)); } @@ -1919,9 +1919,9 @@ function exist_database_item($patient_id, $table, $column = '', $data_comp, $dat if (empty($column)) { // simple search for any table entries $sql = sqlStatementCdrEngine("SELECT * " . - "FROM `" . add_escape_custom($table) . "` " . + "FROM `" . escape_table_name($table) . "` " . " ". $whereTables. " ". - "WHERE " . add_escape_custom($patient_id_label) . "=? " . $customSQL, array($patient_id)); + "WHERE " . add_escape_custom($patient_id_label) . "=? " . $customSQL, array($patient_id)); } else { // mdsupport : Allow trailing '**' in the strings to perform LIKE searches if ((substr($data, -2)=='**') && (($compSql == "=") || ($compSql == "!="))) { @@ -1935,13 +1935,13 @@ function exist_database_item($patient_id, $table, $column = '', $data_comp, $dat //To handle standard forms starting with form_ //In this case, we are assuming the date field is "date" $sql =sqlStatementCdrEngine( - "SELECT b.`" . add_escape_custom($column) . "` " . + "SELECT b.`" . escape_sql_column_name($column, [$table]) . "` " . "FROM forms a ". - "LEFT JOIN `" . add_escape_custom($table) . "` " . " b ". + "LEFT JOIN `" . escape_table_name($table) . "` " . " b ". "ON (a.form_id=b.id AND a.formdir LIKE '".add_escape_custom(substr($table, 5))."') ". "WHERE a.deleted != '1' ". - "AND b.`" .add_escape_custom($column) ."`" . $compSql . - "AND b." . add_escape_custom($patient_id_label) . "=? " . $customSQL + "AND b.`" . escape_sql_column_name($column, [$table]) ."`" . $compSql . + "AND b." . add_escape_custom($patient_id_label) . "=? " . $customSQL . str_replace("`date`", "b.`date`", $dateSql), array($data, $patient_id) ); @@ -1953,10 +1953,10 @@ function exist_database_item($patient_id, $table, $column = '', $data_comp, $dat } // search for number of specific items - $sql = sqlStatementCdrEngine("SELECT `" . add_escape_custom($column) . "` " . - "FROM `" . add_escape_custom($table) . "` " . + $sql = sqlStatementCdrEngine("SELECT `" . escape_sql_column_name($column, [$table]) . "` " . + "FROM `" . escape_table_name($table) . "` " . " " . $whereTables . " " . - "WHERE `" . add_escape_custom($column) . "`" . $compSql . + "WHERE `" . escape_sql_column_name($column, [$table]) . "`" . $compSql . "AND " . add_escape_custom($patient_id_label) . "=? " . $customSQL . $dateSql, array($data, $patient_id)); } @@ -2090,7 +2090,7 @@ function exist_custom_item($patient_id, $category, $item, $complete, $num_items_ // search for number of specific items $sql = sqlStatementCdrEngine("SELECT `result` " . - "FROM `" . add_escape_custom($table) . "` " . + "FROM `" . escape_table_name($table) . "` " . "WHERE `category`=? " . "AND `item`=? " . "AND `complete`=? " . @@ -2251,43 +2251,43 @@ function sql_interval_string($table, $intervalType, $intervalValue, $dateTarget) case "year": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " YEAR) AND '" . add_escape_custom($dateTarget) . "') "; break; case "month": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " MONTH) AND '" . add_escape_custom($dateTarget) . "') "; break; case "week": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " WEEK) AND '" . add_escape_custom($dateTarget) . "') "; break; case "day": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " DAY) AND '" . add_escape_custom($dateTarget) . "') "; break; case "hour": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " HOUR) AND '" . add_escape_custom($dateTarget) . "') "; break; case "minute": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " MINUTE) AND '" . add_escape_custom($dateTarget) . "') "; break; case "second": $dateSql = "AND (" . add_escape_custom($date_label) . " BETWEEN DATE_SUB('" . add_escape_custom($dateTarget) . - "', INTERVAL " . add_escape_custom($intervalValue) . + "', INTERVAL " . escape_limit($intervalValue) . " SECOND) AND '" . add_escape_custom($dateTarget) . "') "; break; case "flu_season": diff --git a/library/patient.inc b/library/patient.inc index e23136d2c..3fc7977ca 100644 --- a/library/patient.inc +++ b/library/patient.inc @@ -6,7 +6,7 @@ * @link http://www.open-emr.org * @author Brady Miller * @author Sherwin Gaddis - * @copyright Copyright (c) 2018 Brady Miller + * @copyright Copyright (c) 2018-2019 Brady Miller * @copyright Copyright (c) 2019 Sherwin Gaddis * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ @@ -53,6 +53,8 @@ $policy_types = array( * If no subsection was given, returns everything, with the * date of birth as the last field. */ +// To prevent sql injection on this function, if a variable is used for $given parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientData($pid, $given = "*, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS") { $sql = "select $given from patient_data where pid=? order by date DESC limit 0,1"; @@ -449,6 +451,8 @@ function getHistoryData($pid, $given = "*", $dateStart = '', $dateEnd = '') } // function getInsuranceData($pid, $type = "primary", $given = "insd.*, DATE_FORMAT(subscriber_DOB,'%m/%d/%Y') as subscriber_DOB, ic.name as provider_name") +// To prevent sql injection on this function, if a variable is used for $given parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getInsuranceData($pid, $type = "primary", $given = "insd.*, ic.name as provider_name") { $sql = "select $given from insurance_data as insd " . @@ -457,6 +461,8 @@ function getInsuranceData($pid, $type = "primary", $given = "insd.*, ic.name as return sqlQuery($sql, array($pid, $type)); } +// To prevent sql injection on this function, if a variable is used for $given parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getInsuranceDataByDate( $pid, $date, @@ -474,6 +480,8 @@ function getInsuranceDataByDate( return sqlQuery($sql, array($pid,$date,$type)); } +// To prevent sql injection on this function, if a variable is used for $given parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getEmployerData($pid, $given = "*") { $sql = "select $given from employer_data where pid=? order by date DESC limit 0,1"; @@ -510,6 +518,8 @@ function _set_patient_inc_count($limit, $count, $where, $whereBindArray = array( * @param string $start * @return array */ +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientLnames($term = "%", $given = "pid, id, lname, fname, mname, providerID, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { $names = getPatientNameSplit($term); @@ -634,6 +644,8 @@ function getPatientNameSplit($term) return $n; // associative array containing names } +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientId($pid = "%", $given = "pid, id, lname, fname, mname, providerID, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { @@ -663,6 +675,8 @@ function getPatientId($pid = "%", $given = "pid, id, lname, fname, mname, provid return $returnval; } +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getByPatientDemographics($searchTerm = "%", $given = "pid, id, lname, fname, mname, providerID, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { $layoutCols = sqlStatement( @@ -695,6 +709,8 @@ function getByPatientDemographics($searchTerm = "%", $given = "pid, id, lname, f return $returnval; } +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getByPatientDemographicsFilter( $searchFields, $searchTerm = "%", @@ -765,6 +781,8 @@ function getByPatientDemographicsFilter( // return a collection of Patient PIDs // new arg style by JRM March 2008 // orig function getPatientPID($pid = "%", $given = "pid, id, lname, fname, mname, providerID, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS", $orderby = "lname ASC, fname ASC", $limit="all", $start="0") +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientPID($args) { $pid = "%"; @@ -851,6 +869,8 @@ function getPatientNameFirstLast($pid) } /* find patient data by DOB */ +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientDOB($DOB = "%", $given = "pid, id, lname, fname, mname", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { $sqlBindArray = array(); @@ -881,6 +901,8 @@ function getPatientDOB($DOB = "%", $given = "pid, id, lname, fname, mname", $ord } /* find patient data by SSN */ +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientSSN($ss = "%", $given = "pid, id, lname, fname, mname, providerID", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { $sqlBindArray = array(); @@ -901,6 +923,8 @@ function getPatientSSN($ss = "%", $given = "pid, id, lname, fname, mname, provid } //(CHEMED) Search by phone number +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientPhone($phone = "%", $given = "pid, id, lname, fname, mname, providerID", $orderby = "lname ASC, fname ASC", $limit = "all", $start = "0") { $phone = preg_replace("/[[:punct:]]/", "", $phone); @@ -921,6 +945,8 @@ function getPatientPhone($phone = "%", $given = "pid, id, lname, fname, mname, p return $returnval; } +// To prevent sql injection on this function, if a variable is used for $given OR $orderby parameter, then +// it needs to be escaped via whitelisting prior to using this function. function getPatientIds($given = "pid, id, lname, fname, mname", $orderby = "id ASC", $limit = "all", $start = "0") { $sql="select $given from patient_data order by $orderby"; -- 2.11.4.GIT