/**
* Escape/sanitize a sql identifier variable to prepare for a sql query.
*
* This will escape/sanitize a sql identifier. There are two options provided by this
* function.
* The first option is done by whitelisting ($whitelist_items is used) and in this case
* only certain identifiers (listed in the $whitelist_items array) can be used; if
* there is no match, then it will either default to the first item in the $whitelist_items
* (if $die_if_no_match is FALSE) or it will die() and send an error message to the screen
* and log (if $die_if_no_match is TRUE).
* The second option is done by sanitizing ($whitelist_items is not used) and in this case
* only US alphanumeric,'_' and '.' items are kept in the returned string. Note
* the second option is still experimental as we figure out the ideal items to
* filter out of the identifier. The first option is ideal if all the possible identifiers
* are known, however we realize this may not always be the case.
*
* @param string $s Sql identifier variable to be escaped/sanitized.
* @param array $whitelist_items Items used in whitelisting method (See function description for details of whitelisting method).
* @param boolean $die_if_no_match If there is no match in the whitelist, then die and echo an error to screen and log.
* @return string Escaped/sanitized sql identifier variable.
*/
function escape_identifier($s, $whitelist_items, $die_if_no_match = FALSE)
{
if (is_array($whitelist_items)) {
// Only return an item within the whitelist_items
if ($die_if_no_match && !in_array($s, $whitelist_items)) {
// There is no match in the whitelist and the $die_if_no_match flag is set
// so die() and send error messages to screen and log
error_Log("ERROR: OpenEMR SQL Escaping ERROR of the following string: " . $s, 0);
die("<br><span style='color:red;font-weight:bold;'>" . xlt("There was an OpenEMR SQL Escaping ERROR of the following string") . " " . text($s) . "</span><br>");
}
$ok = $whitelist_items;
$key = array_search($s, $ok);
return $ok[$key];
} else {
// Return an item that has been "cleaned" up
// (this is currently experimental and goal is to avoid using this)
return preg_replace('/[^a-zA-Z0-9_.]/', '', $s);
}
}
/**
* Escape/sanitize a sql identifier variable to prepare for a sql query.
*
* This will escape/sanitize a sql identifier. There are two options provided by this
* function.
* The first option is done by whitelisting ($whitelist_items is used) and in this case
* only certain identifiers (listed in the $whitelist_items array) can be used; if
* there is no match, then it will either default to the first item in the $whitelist_items
* (if $die_if_no_match is FALSE) or it will die() and send an error message to the screen
* and log (if $die_if_no_match is TRUE). Note there is an option to allow case insensitive
* matching; if this option is chosen, it will first attempt a case sensitive match and if this
* fails, then attempt a case insensitive match.
* The second option is done by sanitizing ($whitelist_items is not used) and in this case
* only US alphanumeric,'_' and '.' items are kept in the returned string. Note
* the second option is still experimental as we figure out the ideal items to
* filter out of the identifier. The first option is ideal if all the possible identifiers
* are known, however we realize this may not always be the case.
*
* @param string $s Sql identifier variable to be escaped/sanitized.
* @param array $whitelist_items Items used in whitelisting method (See function description for details of whitelisting method).
* @param boolean $die_if_no_match If there is no match in the whitelist, then die and echo an error to screen and log.
* @param boolean $case_sens_match Use case sensitive match (this is default).
* @return string Escaped/sanitized sql identifier variable.
*/
function escape_identifier($s, $whitelist_items, $die_if_no_match = FALSE, $case_sens_match = TRUE)
{
if (is_array($whitelist_items)) {
// Only return an item within the whitelist_items
$ok = $whitelist_items;
// First, search for case sensitive match
$key = array_search($s, $ok);
if ($key === FALSE) {
// No match
if (!$case_sens_match) {
// Attempt a case insensitive match
$ok_UPPER = array_map("strtoupper", $ok);
$key = array_search(strtoupper($s), $ok_UPPER);
}
if ($key === FALSE) {
// Still no match
if ($die_if_no_match) {
// No match and $die_if_no_match is set, so die() and send error messages to screen and log
error_Log("ERROR: OpenEMR SQL Escaping ERROR of the following string: " . $s, 0);
die("<br><span style='color:red;font-weight:bold;'>" . xlt("There was an OpenEMR SQL Escaping ERROR of the following string") . " " . text($s) . "</span><br>");
} else {
// Return first token since no match
$key = 0;
}
}
}
return $ok[$key];
} else {
// Return an item that has been "cleaned" up
// (this is currently experimental and goal is to avoid using this)
return preg_replace('/[^a-zA-Z0-9_.]/', '', $s);
}
}
/**
* Retrieves the current user consent access token from the user's session for a given scope.
* If the client token does not exist in the session. Returns null if no token exists.
*
* @method getSessionConsentToken
* @param {String} scope the service that the app requires access to
*
* @return {string} token
*/
public function getSessionConsentToken($scope)
{
$token = null;
// NOTE: error_Log comments are left here on purpose, so that a developer may uncomment them for troubleshooting.
if (isset($_SESSION['consent_tokens'][$scope]) && $_SESSION['consent_tokens'][$scope] != '') {
// error_Log( "Checking for client_token in Session");
$session_token = $_SESSION['consent_tokens'][$scope];
$expires_at = $_SESSION['consent_expires_at'][$scope];
$refresh_token = $_SESSION['consent_refresh_tokens'][$scope];
$token = new OAuthToken($session_token, $expires_at, $refresh_token);
$time_now = getdate()[0];
$expires_in = $expires_at - $time_now - $this->reduce_token_expiry_by;
if ($expires_in < 0) {
// Try refresh token. If refresh fails, then return false.
error_Log("refreshing the consent token for " . $scope);
try {
$token = $this->refreshConsentToken($token, $scope);
} catch (Exception $e) {
$token = null;
}
}
// error_Log( "session client_token = " . $token->getAccessToken());
}
return $token;
}
if (EXTRA_LOGGING) {
error_Log("all done.");
}
# check for the next task
$next = $db->querySingle("\n SELECT task_id, moddir, command\n FROM tasks\n WHERE pid IS NULL\n AND dismissed IS NULL\n ORDER BY task_id LIMIT 1\n ", true);
$db_started = $db->escapeString(time());
if ($next) {
if (EXTRA_LOGGING) {
error_Log("New task found, rsyncing {$next['moddir']}...");
}
$db_task_id = $next['task_id'];
$cmd = $next['command'];
$moddir = $next['moddir'];
$db->exec("\n UPDATE tasks\n SET started = '{$db_started}',\n files_done = '0',\n data_done = '0',\n data_rate = ''\n WHERE task_id = '{$db_task_id}'\n ");
} else {
if (EXTRA_LOGGING) {
error_Log("No more tasks, exiting...");
}
# no more tasks -- yay
break;
}
}
# restart kiwix so it sees what modules are visible/hidden
# -- we could do this after each module but it seems a bit
# much... let's try doing it after installs/updates are complete
# and see if anyone complains
kiwix_restart();
if (EXTRA_LOGGING) {
error_Log("Goodbye.");
}
exit(0);
$notifications_for_subscription = $notifications[$subscription_id];
} else {
$notifications_for_subscription = array();
}
$response = json_encode(array('notificationEvents' => $notifications_for_subscription));
$notifications[$subscription_id] = array();
file_put_contents('notifications.json', json_encode($notifications), LOCK_EX);
http_response_code(200);
echo $response;
break;
case "updateSubscription":
$postBody = file_get_contents('php://input');
$subscriptionParams = json_decode($postBody);
if (!$subscriptionParams) {
error_Log("JSON error: " . json_last_error_msg());
error_Log("JSON data: " . $postBody);
return_json_error(400, json_last_error_msg . " : " . $postBody);
break;
}
$callbackData = null;
$expiresIn = 3600;
if (isset($subscriptionParams->callbackData)) {
$callbackData = $subscriptionParams->callbackData;
}
if (isset($subscriptionParams->expiresIn)) {
$expiresIn = $subscriptionParams->expiresIn;
}
$response = $service_provider->updateSubscription($subscriptionId, $subscriptionParams->events, $callbackData, $expiresIn);
http_response_code(200);
header("Content-Type:application/json");
echo $response;
