/** * Escape/sanitize a sql identifier variable to prepare for a sql query. * * This will escape/sanitize a sql identifier. There are two options provided by this * function. * The first option is done by whitelisting ($whitelist_items is used) and in this case * only certain identifiers (listed in the $whitelist_items array) can be used; if * there is no match, then it will either default to the first item in the $whitelist_items * (if $die_if_no_match is FALSE) or it will die() and send an error message to the screen * and log (if $die_if_no_match is TRUE). * The second option is done by sanitizing ($whitelist_items is not used) and in this case * only US alphanumeric,'_' and '.' items are kept in the returned string. Note * the second option is still experimental as we figure out the ideal items to * filter out of the identifier. The first option is ideal if all the possible identifiers * are known, however we realize this may not always be the case. * * @param string $s Sql identifier variable to be escaped/sanitized. * @param array $whitelist_items Items used in whitelisting method (See function description for details of whitelisting method). * @param boolean $die_if_no_match If there is no match in the whitelist, then die and echo an error to screen and log. * @return string Escaped/sanitized sql identifier variable. */ function escape_identifier($s, $whitelist_items, $die_if_no_match = FALSE) { if (is_array($whitelist_items)) { // Only return an item within the whitelist_items if ($die_if_no_match && !in_array($s, $whitelist_items)) { // There is no match in the whitelist and the $die_if_no_match flag is set // so die() and send error messages to screen and log error_Log("ERROR: OpenEMR SQL Escaping ERROR of the following string: " . $s, 0); die("<br><span style='color:red;font-weight:bold;'>" . xlt("There was an OpenEMR SQL Escaping ERROR of the following string") . " " . text($s) . "</span><br>"); } $ok = $whitelist_items; $key = array_search($s, $ok); return $ok[$key]; } else { // Return an item that has been "cleaned" up // (this is currently experimental and goal is to avoid using this) return preg_replace('/[^a-zA-Z0-9_.]/', '', $s); } }
/** * Escape/sanitize a sql identifier variable to prepare for a sql query. * * This will escape/sanitize a sql identifier. There are two options provided by this * function. * The first option is done by whitelisting ($whitelist_items is used) and in this case * only certain identifiers (listed in the $whitelist_items array) can be used; if * there is no match, then it will either default to the first item in the $whitelist_items * (if $die_if_no_match is FALSE) or it will die() and send an error message to the screen * and log (if $die_if_no_match is TRUE). Note there is an option to allow case insensitive * matching; if this option is chosen, it will first attempt a case sensitive match and if this * fails, then attempt a case insensitive match. * The second option is done by sanitizing ($whitelist_items is not used) and in this case * only US alphanumeric,'_' and '.' items are kept in the returned string. Note * the second option is still experimental as we figure out the ideal items to * filter out of the identifier. The first option is ideal if all the possible identifiers * are known, however we realize this may not always be the case. * * @param string $s Sql identifier variable to be escaped/sanitized. * @param array $whitelist_items Items used in whitelisting method (See function description for details of whitelisting method). * @param boolean $die_if_no_match If there is no match in the whitelist, then die and echo an error to screen and log. * @param boolean $case_sens_match Use case sensitive match (this is default). * @return string Escaped/sanitized sql identifier variable. */ function escape_identifier($s, $whitelist_items, $die_if_no_match = FALSE, $case_sens_match = TRUE) { if (is_array($whitelist_items)) { // Only return an item within the whitelist_items $ok = $whitelist_items; // First, search for case sensitive match $key = array_search($s, $ok); if ($key === FALSE) { // No match if (!$case_sens_match) { // Attempt a case insensitive match $ok_UPPER = array_map("strtoupper", $ok); $key = array_search(strtoupper($s), $ok_UPPER); } if ($key === FALSE) { // Still no match if ($die_if_no_match) { // No match and $die_if_no_match is set, so die() and send error messages to screen and log error_Log("ERROR: OpenEMR SQL Escaping ERROR of the following string: " . $s, 0); die("<br><span style='color:red;font-weight:bold;'>" . xlt("There was an OpenEMR SQL Escaping ERROR of the following string") . " " . text($s) . "</span><br>"); } else { // Return first token since no match $key = 0; } } } return $ok[$key]; } else { // Return an item that has been "cleaned" up // (this is currently experimental and goal is to avoid using this) return preg_replace('/[^a-zA-Z0-9_.]/', '', $s); } }
/** * Retrieves the current user consent access token from the user's session for a given scope. * If the client token does not exist in the session. Returns null if no token exists. * * @method getSessionConsentToken * @param {String} scope the service that the app requires access to * * @return {string} token */ public function getSessionConsentToken($scope) { $token = null; // NOTE: error_Log comments are left here on purpose, so that a developer may uncomment them for troubleshooting. if (isset($_SESSION['consent_tokens'][$scope]) && $_SESSION['consent_tokens'][$scope] != '') { // error_Log( "Checking for client_token in Session"); $session_token = $_SESSION['consent_tokens'][$scope]; $expires_at = $_SESSION['consent_expires_at'][$scope]; $refresh_token = $_SESSION['consent_refresh_tokens'][$scope]; $token = new OAuthToken($session_token, $expires_at, $refresh_token); $time_now = getdate()[0]; $expires_in = $expires_at - $time_now - $this->reduce_token_expiry_by; if ($expires_in < 0) { // Try refresh token. If refresh fails, then return false. error_Log("refreshing the consent token for " . $scope); try { $token = $this->refreshConsentToken($token, $scope); } catch (Exception $e) { $token = null; } } // error_Log( "session client_token = " . $token->getAccessToken()); } return $token; }
if (EXTRA_LOGGING) { error_Log("all done."); } # check for the next task $next = $db->querySingle("\n SELECT task_id, moddir, command\n FROM tasks\n WHERE pid IS NULL\n AND dismissed IS NULL\n ORDER BY task_id LIMIT 1\n ", true); $db_started = $db->escapeString(time()); if ($next) { if (EXTRA_LOGGING) { error_Log("New task found, rsyncing {$next['moddir']}..."); } $db_task_id = $next['task_id']; $cmd = $next['command']; $moddir = $next['moddir']; $db->exec("\n UPDATE tasks\n SET started = '{$db_started}',\n files_done = '0',\n data_done = '0',\n data_rate = ''\n WHERE task_id = '{$db_task_id}'\n "); } else { if (EXTRA_LOGGING) { error_Log("No more tasks, exiting..."); } # no more tasks -- yay break; } } # restart kiwix so it sees what modules are visible/hidden # -- we could do this after each module but it seems a bit # much... let's try doing it after installs/updates are complete # and see if anyone complains kiwix_restart(); if (EXTRA_LOGGING) { error_Log("Goodbye."); } exit(0);
$notifications_for_subscription = $notifications[$subscription_id]; } else { $notifications_for_subscription = array(); } $response = json_encode(array('notificationEvents' => $notifications_for_subscription)); $notifications[$subscription_id] = array(); file_put_contents('notifications.json', json_encode($notifications), LOCK_EX); http_response_code(200); echo $response; break; case "updateSubscription": $postBody = file_get_contents('php://input'); $subscriptionParams = json_decode($postBody); if (!$subscriptionParams) { error_Log("JSON error: " . json_last_error_msg()); error_Log("JSON data: " . $postBody); return_json_error(400, json_last_error_msg . " : " . $postBody); break; } $callbackData = null; $expiresIn = 3600; if (isset($subscriptionParams->callbackData)) { $callbackData = $subscriptionParams->callbackData; } if (isset($subscriptionParams->expiresIn)) { $expiresIn = $subscriptionParams->expiresIn; } $response = $service_provider->updateSubscription($subscriptionId, $subscriptionParams->events, $callbackData, $expiresIn); http_response_code(200); header("Content-Type:application/json"); echo $response;