PHP7 project, commit 1.

-Removed mysql_connect and mysql_real_escape_string and replaced with relevant methods in library/sql.inc and library/formdata.inc.php
-Centralized magic quote checks to library/formdata.inc.php

contrib/forms/body_composition/new.php

@@ -32,7 +32,7 @@
 // encode a string from a form field for database writing.
 function form2db($fldval) {
  $fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
  return $fldval;
 }
 

contrib/forms/body_composition/view.php

@@ -32,7 +32,7 @@
 // encode a string from a form field for database writing.
 function form2db($fldval) {
  $fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
  return $fldval;
 }
 

contrib/forms/evaluation/C_FormEvaluation.class.php

@@ -52,7 +52,7 @@ function default_action_process() {
  addForm($GLOBALS['encounter'], "Evaluation Form", $this->evaluation->id, "evaluation", $GLOBALS['pid'], $_SESSION['userauthorized']);
 
  if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
 
  $results = sqlQ($sql); 
 

contrib/forms/evaluation/FormEvaluation.class.php

@@ -60,7 +60,7 @@ function FormEvaluation($id= "", $_prefix = "") {
  function populate() {
  parent::populate();
 
- $sql = "SELECT name from form_evaluation_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_evaluation_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
  $results = sqlQ($sql);
 
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -245,7 +245,7 @@ function persist() {
  sqlQuery($sql);
  foreach ($this->checks as $check) {
  if (!empty($check)) {
- $sql = "INSERT INTO form_evaluation_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_evaluation_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
  sqlQuery($sql);
  //echo "$sql<br>";
  }

contrib/forms/evaluation/report.php

@@ -6,7 +6,7 @@
 function evaluation_report( $pid, $encounter, $cols, $id) {
 $count = 0;
 $data = formFetch("form_evaluation", $id);
-$sql = "SELECT name from form_evaluation_checks where foreign_id = '" . mysql_real_escape_string($id) . "'";
+$sql = "SELECT name from form_evaluation_checks where foreign_id = '" . add_escape_custom($id) . "'";
 $results = sqlQ($sql);
 $data2 = array();
 while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {

contrib/forms/hp_tje_primary/FormHpTjePrimary.class.php

@@ -76,22 +76,22 @@ function FormHpTjePrimary($id= "", $_prefix = "") {
  function populate() {
  parent::populate();
 
- $sql = "SELECT name from form_hp_tje_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_hp_tje_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
  $results = sqlQ($sql);
 
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
  $this->checks[] = $row['name']; 
  }
 
 
- $sql = "SELECT doctor,specialty,tx_rendered,effectiveness,date from form_hp_tje_history where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT doctor,specialty,tx_rendered,effectiveness,date from form_hp_tje_history where foreign_id = '" . add_escape_custom($this->id) . "'";
  $results = sqlQ($sql);
 
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
  $this->history[] = $row; 
  }
 
- $sql = "SELECT nature_of_accident,injuries,date from form_hp_tje_previous_accidents where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT nature_of_accident,injuries,date from form_hp_tje_previous_accidents where foreign_id = '" . add_escape_custom($this->id) . "'";
  $results = sqlQ($sql);
 
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -318,7 +318,7 @@ function persist() {
  sqlQuery($sql);
  foreach ($this->checks as $check) {
  if (!empty($check)) {
- $sql = "INSERT INTO form_hp_tje_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_hp_tje_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
  sqlQuery($sql);
  //echo "$sql<br>";
  }
@@ -329,12 +329,12 @@ function persist() {
  sqlQuery($sql);
  foreach ($this->history as $history) {
  if (!empty($history)) {
- $sql = "INSERT INTO form_hp_tje_history set foreign_id='" . mysql_real_escape_string($this->id) ."'"
- . ", doctor = '" . mysql_real_escape_string($history['doctor']) . "'"
- . ", specialty = '" . mysql_real_escape_string($history['specialty']) . "'"
- . ", tx_rendered = '" . mysql_real_escape_string($history['tx_rendered']) . "'"
- . ", effectiveness = '" . mysql_real_escape_string($history['effectiveness']) . "'"
- . ", date = '" . mysql_real_escape_string($history['date']) . "'";
+ $sql = "INSERT INTO form_hp_tje_history set foreign_id='" . add_escape_custom($this->id) ."'"
+ . ", doctor = '" . add_escape_custom($history['doctor']) . "'"
+ . ", specialty = '" . add_escape_custom($history['specialty']) . "'"
+ . ", tx_rendered = '" . add_escape_custom($history['tx_rendered']) . "'"
+ . ", effectiveness = '" . add_escape_custom($history['effectiveness']) . "'"
+ . ", date = '" . add_escape_custom($history['date']) . "'";
  sqlQuery($sql);
  //echo "$sql<br>";
  }
@@ -347,10 +347,10 @@ function persist() {
 
  foreach ($this->previous_accidents as $pa) {
  if (!empty($pa)) {
- $sql = "INSERT INTO form_hp_tje_previous_accidents set foreign_id='" . mysql_real_escape_string($this->id) . 
- "', nature_of_accident = '" . mysql_real_escape_string($pa['nature_of_accident']) . "'"
- . ", injuries = '" . mysql_real_escape_string($pa['injuries']) . "'"
- . ", date = '" . mysql_real_escape_string($pa['date']) . "'";
+ $sql = "INSERT INTO form_hp_tje_previous_accidents set foreign_id='" . add_escape_custom($this->id) .
+ "', nature_of_accident = '" . add_escape_custom($pa['nature_of_accident']) . "'"
+ . ", injuries = '" . add_escape_custom($pa['injuries']) . "'"
+ . ", date = '" . add_escape_custom($pa['date']) . "'";
 
  sqlQuery($sql);
  //echo "$sql<br>";

contrib/forms/prosthesis/C_FormProsthesis.class.php

@@ -51,7 +51,7 @@ function default_action_process() {
  addForm($GLOBALS['encounter'], "Prosthesis & Orthotics Form", $this->prosthesis->id, "prosthesis", $GLOBALS['pid'], $_SESSION['userauthorized']);
 
  if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
 
  $results = sqlQ($sql); 
 

contrib/forms/psychiatrySet/brief_aan_verwijzer/autosave.php

@@ -15,7 +15,7 @@
 // escape the strings
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/psychiatrySet/brief_aan_verwijzer/save.php

@@ -12,7 +12,7 @@
 
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/psychiatrySet/intakeverslag/autosave.php

@@ -17,7 +17,7 @@
 // escape the strings
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/psychiatrySet/intakeverslag/save.php

@@ -12,7 +12,7 @@
 
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/psychiatrySet/psychiatrisch_onderzoek/autosave.php

@@ -15,7 +15,7 @@
 // escape the strings
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/psychiatrySet/psychiatrisch_onderzoek/save.php

@@ -12,7 +12,7 @@
 
 foreach ($_POST as $k => $var)
 {
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
  // echo "$var\n";
 }
 

contrib/forms/review_of_systems/C_FormReviewOfSystems.class.php

@@ -51,7 +51,7 @@ function default_action_process() {
  addForm($GLOBALS['encounter'], "Review Of Systems", $this->review_of_systems->id, "review_of_systems", $GLOBALS['pid'], $_SESSION['userauthorized']);
 
  if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
 
  $results = sqlQ($sql); 
 

contrib/forms/review_of_systems/FormReviewOfSystems.class.php

@@ -75,7 +75,7 @@ function toString($html = false) {
  function populate() {
  parent::populate();
 
- $sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
  $results = sqlQ($sql);
 
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -91,7 +91,7 @@ function persist() {
  sqlQuery($sql);
  foreach ($this->checks as $check) {
  if (!empty($check)) {
- $sql = "INSERT INTO form_review_of_systems_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_review_of_systems_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
  sqlQuery($sql);
  //echo "$sql<br>";
  }

contrib/forms/review_of_systems/report.php

@@ -5,7 +5,7 @@
 function review_of_systems_report( $pid, $encounter, $cols, $id) {
 $count = 0;
 $data = formFetch("form_review_of_systems", $id);
-$sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . mysql_real_escape_string($id) . "'";
+$sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . add_escape_custom($id) . "'";
 $results = sqlQ($sql);
 $data2 = array();
  while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {

contrib/util/de_identification_upgrade.php

@@ -126,11 +126,14 @@ function upgradeFromSqlFile_de($filename) {
 if (!empty($_POST['form_submit'])) {
  upgradeFromSqlFile_de("database_de_identification.sql");
 
- // grant file privilege to user
- if ($sqlconf["host"] == "localhost")
- $dbh = mysql_connect($sqlconf['host'],$_POST['root_user_name'],$_POST['root_user_pass'],$sqlconf['host']) or die(mysql_error());
- else
- $dbh = mysql_connect($sqlconf['host'].":".$sqlconf['port'],$_POST['root_user_name'],$_POST['root_user_pass']) or die(mysql_error());
+// grant file privilege to user
+// if ($sqlconf["host"] == "localhost")
+// $dbh = mysql_connect($sqlconf['host'],$_POST['root_user_name'],$_POST['root_user_pass'],$sqlconf['host']) or die(mysql_error());
+// else
+// $dbh = mysql_connect($sqlconf['host'].":".$sqlconf['port'],$_POST['root_user_name'],$_POST['root_user_pass']) or die(mysql_error());
+
+ $dbh = $GLOBALS['dbh'];
+
  if ($dbh == FALSE) {
  echo "\n";
  echo "<p>".mysql_error()." (#".mysql_errno().")\n";

contrib/util/import_mi2xml.php

@@ -739,7 +739,7 @@ function get_patientid( $medics ) {
 //
 function form2db($fldval) {
  $fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
  return $fldval;
 }
 

controllers/C_PatientFinder.class.php

@@ -35,9 +35,9 @@ function find_action($form_id, $form_name,$pid) {
  $isPid = false;
  //fix any magic quotes meddling
 
- if (get_magic_quotes_gpc()) {$form_id = stripslashes($form_id);}
- if (get_magic_quotes_gpc()) {$form_name = stripslashes($form_name);}
- if (get_magic_quotes_gpc()) {$pid = stripslashes($pid);}
+ $form_id = strip_escape_custom($form_id);
+ $form_name = strip_escape_custom($form_name);
+ $pid = strip_escape_custom($pid);
 
  //prevent javascript injection, whitespace and semi-colons are the worry
  $form_id = preg_replace("/[^A-Za-z0-9\[\]\_\']/iS","",urldecode($form_id));
@@ -100,7 +100,7 @@ function find_action_process() {
  * @-param string $search_string parsed for last name
  */
  function search_by_lName($sql, $search_string) {
- $lName = mysql_real_escape_string($search_string);
+ $lName = add_escape_custom($search_string);
  $sql .= " WHERE lname LIKE '$lName%' ORDER BY lname, fname";
  //print "SQL is $sql \n";
  $result_array = $this->_db->GetAll($sql);
@@ -116,7 +116,7 @@ function search_by_lName($sql, $search_string) {
  */
  function search_by_fName($sql, $search_string) {
  $name_array = split(",", $search_string);
- $fName = mysql_real_escape_string( trim($name_array[1]) );
+ $fName = add_escape_custom( trim($name_array[1]) );
  $sql .= " WHERE fname LIKE '$fName%' ORDER BY lname, fname";
  $result_array = $this->_db->GetAll($sql);
  return $result_array;
@@ -130,8 +130,8 @@ function search_by_fName($sql, $search_string) {
  */
  function search_by_FullName($sql, $search_string) {
  $name_array = split(",", $search_string);
- $lName = mysql_real_escape_string($name_array[0]);
- $fName = mysql_real_escape_string( trim($name_array[1]) );
+ $lName = add_escape_custom($name_array[0]);
+ $fName = add_escape_custom( trim($name_array[1]) );
  $sql .= " WHERE fname LIKE '%$fName%' AND lname LIKE '$lName%' ORDER BY lname, fname";
  //print "SQL is $sql \n";
  $result_array = $this->_db->GetAll($sql);

controllers/C_Prescription.class.php

@@ -249,7 +249,7 @@ function multiprint_header(& $pdf, $p) {
  $pdf->ezImage($GLOBALS['oer_config']['prescriptions']['logo'],'','50','','center','');
  $pdf->ezColumnsStart(array('num'=>2, 'gap'=>10));
  $res = sqlQuery("SELECT concat('<b>',f.name,'</b>\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" .
- mysql_real_escape_string($p->provider->id) . "'");
+ add_escape_custom($p->provider->id) . "'");
  $pdf->ezText($res['addr'],12);
  $my_y = $pdf->y;
  $pdf->ezNewPage();
@@ -295,7 +295,7 @@ function multiprint_header(& $pdf, $p) {
  $pdf->line($pdf->ez['leftMargin'],$pdf->y,$pdf->ez['pageWidth']-$pdf->ez['rightMargin'],$pdf->y);
  $pdf->ezText('<b>' . xl('Patient Name & Address') . '</b>',6);
  $pdf->ezText($p->patient->get_name_display(),10);
- $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". mysql_real_escape_string ($p->patient->id));
+ $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". add_escape_custom($p->patient->id));
  $pdf->ezText($res['addr']);
  $my_y = $pdf->y;
  $pdf->ezNewPage();
@@ -328,7 +328,7 @@ function multiprintcss_header($p) {
  echo ("</tr>\n");
  echo ("<tr>\n");
  echo ("<td>\n");
- $res = sqlQuery("SELECT concat('<b>',f.name,'</b>\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . mysql_real_escape_string($p->provider->id) . "'");
+ $res = sqlQuery("SELECT concat('<b>',f.name,'</b>\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . add_escape_custom($p->provider->id) . "'");
  $patterns = array ('/\n/','/Tel:/','/Fax:/');
  $replace = array ('<br>', xl('Tel').':', xl('Fax').':');
  $res = preg_replace($patterns, $replace, $res);
@@ -367,7 +367,7 @@ function multiprintcss_header($p) {
  echo ("<td rowspan='2' class='bordered'>\n");
  echo ('<b><span class="small">' . xl('Patient Name & Address') . '</span></b>'. '<br>');
  echo ($p->patient->get_name_display() . '<br>');
- $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". mysql_real_escape_string ($p->patient->id));
+ $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". add_escape_custom($p->patient->id));
  $patterns = array ('/\n/');
  $replace = array ('<br>');
  $res = preg_replace($patterns, $replace, $res);

interface/fax/fax_dispatch.php

@@ -38,7 +38,7 @@
 $info_msg = "";
 
 // This function builds an array of document categories recursively.
-// Kittens are the children of cats, you know. :-)
+// Kittens are the children of cats, you know. :-)getKittens
 //
 function getKittens($catid, $catstring, &$categories) {
  $cres = sqlStatement("SELECT id, name FROM categories " .
@@ -149,7 +149,7 @@ function mergeTiffs() {
  }
  $note = "New scanned document $newid: $note";
  $form_note_message = trim($_POST['form_note_message']);
- if (get_magic_quotes_gpc()) $form_note_message = stripslashes($form_note_message);
+ $form_note_message = strip_escape_custom($form_note_message);
  if ($form_note_message) $note .= "\n" . $form_note_message;
  // addPnote() will do its own addslashes().
  $noteid = addPnote($_POST['form_pid'], $note, $userauthorized, '1',
@@ -208,7 +208,7 @@ function mergeTiffs() {
  if ($_POST['form_cb_note'] && !$info_msg) {
  $note = "New scanned encounter note for visit on " . substr($erow['date'], 0, 10);
  $form_note_message = trim($_POST['form_note_message']);
- if (get_magic_quotes_gpc()) $form_note_message = stripslashes($form_note_message);
+ $form_note_message = strip_escape_custom($form_note_message);
  if ($form_note_message) $note .= "\n" . $form_note_message;
  // addPnote() will do its own addslashes().
  addPnote($patient_id, $note, $userauthorized, '1',
@@ -227,11 +227,9 @@ function mergeTiffs() {
  $form_message = trim($_POST['form_message']);
  $form_finemode = $_POST['form_finemode'] ? '-m' : '-l';
 
- if (get_magic_quotes_gpc()) {
- $form_from = stripslashes($form_from);
- $form_to = stripslashes($form_to);
- $form_message = stripslashes($form_message);
- }
+ $form_from = strip_escape_custom($form_from);
+ $form_to = strip_escape_custom($form_to);
+ $form_message = strip_escape_custom($form_message);
 
  // Generate a cover page using enscript. This can be a cool thing
  // to do, as enscript is very powerful.

interface/forms/ankleinjury/save.php

@@ -4,7 +4,7 @@
 include_once("$srcdir/api.inc");
 include_once("$srcdir/forms.inc");
 foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
 //echo "$var\n";
 }
 if ($encounter == "")

interface/forms/bronchitis/save.php

@@ -4,7 +4,7 @@
 include_once("$srcdir/api.inc");
 include_once("$srcdir/forms.inc");
 foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
 echo "$var\n";
 }
 if ($encounter == "")

interface/forms/reviewofs/save.php

@@ -24,7 +24,7 @@
 include_once("$srcdir/api.inc");
 include_once("$srcdir/forms.inc");
 foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
 echo attr($var);
 echo "\n";
 }