From a9f0ce9a7f57298c1f63ea28fe96a18462ec63bf Mon Sep 17 00:00:00 2001 From: Rod Roark Date: Tue, 11 Jun 2013 15:46:20 -0700 Subject: [PATCH] Scanned Notes: Convert to new security model, escape form input, remove redundant code. --- contrib/forms/scanned_notes/{view.php => new.php} | 72 +++---- contrib/forms/scanned_notes/view.php | 220 +++------------------- 2 files changed, 60 insertions(+), 232 deletions(-) copy contrib/forms/scanned_notes/{view.php => new.php} (74%) rewrite contrib/forms/scanned_notes/view.php (99%) diff --git a/contrib/forms/scanned_notes/view.php b/contrib/forms/scanned_notes/new.php similarity index 74% copy from contrib/forms/scanned_notes/view.php copy to contrib/forms/scanned_notes/new.php index db5a3f429..a0aeba62b 100644 --- a/contrib/forms/scanned_notes/view.php +++ b/contrib/forms/scanned_notes/new.php @@ -1,27 +1,33 @@ -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. - -include_once("../../globals.php"); -include_once("$srcdir/api.inc"); -include_once("$srcdir/forms.inc"); -include_once("$srcdir/acl.inc"); +/** +* Encounter form for entering clinical data as a scanned document. +* +* Copyright (C) 2006-2013 Rod Roark +* +* LICENSE: This program is free software; you can redistribute it and/or +* modify it under the terms of the GNU General Public License +* as published by the Free Software Foundation; either version 2 +* of the License, or (at your option) any later version. +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program. If not, see . +* +* @package OpenEMR +* @author Rod Roark +*/ + +// NOTE: HTML escaping still needs to be done for this script. + +$sanitize_all_escapes = true; +$fake_register_globals = false; + +require_once("../../globals.php"); +require_once("$srcdir/api.inc"); +require_once("$srcdir/forms.inc"); +require_once("$srcdir/acl.inc"); $row = array(); @@ -39,21 +45,15 @@ if ($_POST['bn_save']) { // If updating an existing form... // if ($formid) { - $query = "UPDATE form_scanned_notes SET " . - "notes = '" . $_POST['form_notes'] . "' " . - "WHERE id = '$formid'"; - sqlStatement($query); + $query = "UPDATE form_scanned_notes SET notes = ? WHERE id = ?"; + sqlStatement($query, array($_POST['form_notes'], $formid)); } // If adding a new form... // else { - $query = "INSERT INTO form_scanned_notes ( " . - "notes " . - ") VALUES ( " . - "'" . $_POST['form_notes'] . "' " . - ")"; - $formid = sqlInsert($query); + $query = "INSERT INTO form_scanned_notes (notes) VALUES (?)"; + $formid = sqlInsert($query, array($_POST['form_notes'])); addForm($encounter, "Scanned Notes", $formid, "scanned_notes", $pid, $userauthorized); } @@ -99,9 +99,11 @@ $imageurl = "$web_root/sites/" . $_SESSION['site_id'] . if ($formid) { $row = sqlQuery("SELECT * FROM form_scanned_notes WHERE " . - "id = '$formid' AND activity = '1'"); + "id = ? AND activity = '1'", + array($formid)); $formrow = sqlQuery("SELECT id FROM forms WHERE " . - "form_id = '$formid' AND formdir = 'scanned_notes'"); + "form_id = ? AND formdir = 'scanned_notes'", + array($formid)); } ?> diff --git a/contrib/forms/scanned_notes/view.php b/contrib/forms/scanned_notes/view.php dissimilarity index 99% index db5a3f429..b356d5394 100644 --- a/contrib/forms/scanned_notes/view.php +++ b/contrib/forms/scanned_notes/view.php @@ -1,197 +1,23 @@ - -// -// This program is free software; you can redistribute it and/or -// modify it under the terms of the GNU General Public License -// as published by the Free Software Foundation; either version 2 -// of the License, or (at your option) any later version. - -include_once("../../globals.php"); -include_once("$srcdir/api.inc"); -include_once("$srcdir/forms.inc"); -include_once("$srcdir/acl.inc"); - -$row = array(); - -if (! $encounter) { // comes from globals.php - die("Internal error: we do not seem to be in an encounter!"); -} - -$formid = $_GET['id']; -$imagedir = $GLOBALS['OE_SITE_DIR'] . "/documents/$pid/encounters"; - -// If Save was clicked, save the info. -// -if ($_POST['bn_save']) { - - // If updating an existing form... - // - if ($formid) { - $query = "UPDATE form_scanned_notes SET " . - "notes = '" . $_POST['form_notes'] . "' " . - "WHERE id = '$formid'"; - sqlStatement($query); - } - - // If adding a new form... - // - else { - $query = "INSERT INTO form_scanned_notes ( " . - "notes " . - ") VALUES ( " . - "'" . $_POST['form_notes'] . "' " . - ")"; - $formid = sqlInsert($query); - addForm($encounter, "Scanned Notes", $formid, "scanned_notes", $pid, $userauthorized); - } - - $imagepath = "$imagedir/${encounter}_$formid.jpg"; - - // Upload new or replacement document. - // Always convert it to jpeg. - if ($_FILES['form_image']['size']) { - // If the patient's encounter image directory does not yet exist, create it. - if (! is_dir($imagedir)) { - $tmp0 = exec("mkdir -p '$imagedir'", $tmp1, $tmp2); - if ($tmp2) die("mkdir returned $tmp2: $tmp0"); - exec("touch '$imagedir/index.html'"); - } - // Remove any previous image files for this encounter and form ID. - for ($i = -1; true; ++$i) { - $suffix = ($i < 0) ? "" : "-$i"; - $path = "$imagedir/${encounter}_$formid$suffix.jpg"; - if (is_file($path)) { - unlink($path); - } - else { - if ($i >= 0) break; - } - } - $tmp_name = $_FILES['form_image']['tmp_name']; - // default density is 72 dpi, we change to 96. And -append was removed - // to create a separate image file for each page. - $cmd = "convert -density 96 '$tmp_name' '$imagepath'"; - $tmp0 = exec($cmd, $tmp1, $tmp2); - if ($tmp2) die("\"$cmd\" returned $tmp2: $tmp0"); - } - - // formHeader("Redirecting...."); - // formJump(); - // formFooter(); - // exit; -} - -$imagepath = "$imagedir/${encounter}_$formid.jpg"; -$imageurl = "$web_root/sites/" . $_SESSION['site_id'] . - "/documents/$pid/encounters/${encounter}_$formid.jpg"; - -if ($formid) { - $row = sqlQuery("SELECT * FROM form_scanned_notes WHERE " . - "id = '$formid' AND activity = '1'"); - $formrow = sqlQuery("SELECT id FROM forms WHERE " . - "form_id = '$formid' AND formdir = 'scanned_notes'"); -} -?> - - - - - - - - - - - - - -
- -
- -

- - - - - - - - - - - - - - - - -
Scanned Encounter Notes
 Comments  - -
 Document  -\n"; -} -?> -

  - - - -
 

-
- -

- -  - -  - - -  - - -

- -
- -
- - + +* +* LICENSE: This program is free software; you can redistribute it and/or +* modify it under the terms of the GNU General Public License +* as published by the Free Software Foundation; either version 2 +* of the License, or (at your option) any later version. +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* You should have received a copy of the GNU General Public License +* along with this program. If not, see . +* +* @package OpenEMR +* @author Rod Roark +*/ + +require_once("new.php"); +?> -- 2.11.4.GIT