forked from LibreHealthIO/lh-ehr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapi.inc
151 lines (131 loc) · 6.51 KB
/
api.inc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<?php
//our api for 3rd party developers
include_once("../../globals.php");
include_once("{$GLOBALS['srcdir']}/sql.inc");
include_once("{$GLOBALS['srcdir']}/billing.inc");
include_once("{$GLOBALS['srcdir']}/formdata.inc.php");
$GLOBALS['form_exit_url'] = "$rootdir/patient_file/encounter/encounter_top.php" ;
function formHeader ($title = "My Form")
{
?>
<html>
<head>
<?php html_header_show();?>
<link rel=stylesheet href="<?php echo $GLOBALS['css_header']?>" type="text/css">
<title><?php echo $title?></title>
</head>
<body background="<?php echo $GLOBALS['backpic']?>" topmargin=0 rightmargin=0 leftmargin=2 bottommargin=0 marginwidth=2 marginheight=0>
<?php
}
function formFooter ()
{
?>
</body>
</html>
<?php
}
// This function will escape the $values when using the new security method (ie. $sanitize_all_escapes is TRUE).
// Otherwise, this function expects the $values to already be escaped(original and legacy behavior).
function formSubmit ($tableName, $values, $id, $authorized = "0")
{
// Bring in $sanitize_all_escapes variable, which will decide
// the variable escaping method.
global $sanitize_all_escapes;
$sql = "insert into " . escape_table_name($tableName) . " set pid ='".add_escape_custom($_SESSION['pid'])."',groupname='".add_escape_custom($_SESSION['authProvider'])."',user='".add_escape_custom($_SESSION['authUser'])."',authorized='".add_escape_custom($authorized)."',activity=1, date = NOW(),";
foreach ($values as $key => $value)
if (strpos($key,"libreehr_net_cpt") === 0) {
//code to auto add cpt code
if (!empty($value)) {
$code_array = explode(" ",$value,2);
addBilling(date("Ymd"), 'CPT4', $code_array[0], $code_array[1], $_SESSION['pid'], $authorized, $_SESSION['authUserID']);
}
}
//case where key looks like "[a-zA-Z]*diagnosis[0-9]" which is special, it is used to auto add ICD codes
elseif (strpos($key,"diagnosis") == (strlen($key) -10) && !(strpos($key,"diagnosis")=== false )) {
//icd auto add ICD9-CM
if (!empty($value)) {
$code_array = explode(" ",$value,2);
addBilling(date("Ymd"), 'ICD9-M', $code_array[0], $code_array[1], $_SESSION['pid'], $authorized, $_SESSION['authUserID']);
}
}
else {
if (isset($sanitize_all_escapes) && $sanitize_all_escapes) {
// using new security method, so escape the key and values here
$sql .= " " . escape_sql_column_name($key,array($tableName)) . " = '" . add_escape_custom($value) . "',";
}
else {
// original method (rely on code to escape values before using this function)
$sql .= " $key = '$value',";
}
}
$sql = substr($sql, 0, -1);
return sqlInsert($sql);
}
function formUpdate ($tableName, $values, $id, $authorized = "0")
{
// Bring in $sanitize_all_escapes variable, which will decide
// the variable escaping method.
global $sanitize_all_escapes;
$sql = "update " . escape_table_name($tableName) . " set pid ='".add_escape_custom($_SESSION['pid'])."',groupname='".add_escape_custom($_SESSION['authProvider'])."',user='".add_escape_custom($_SESSION['authUser'])."',authorized='".add_escape_custom($authorized)."',activity=1, date = NOW(),";
foreach ($values as $key => $value)
if (isset($sanitize_all_escapes) && $sanitize_all_escapes) {
// using new security method, so escape the key and values here
$sql .= " " . escape_sql_column_name($key,array($tableName)) . " = '" . add_escape_custom($value) . "',";
}
else {
// original method (rely on code to escape values before using this function)
$sql .= " $key = '$value',";
}
$sql = substr($sql, 0, -1);
$sql .= " where id='".add_escape_custom($id)."'";
return sqlInsert($sql);
}
function formJump ($address = "0")
{
$returnurl = 'encounter_top.php';
if ($address == "0")
$address = "{$GLOBALS['rootdir']}/patient_file/encounter/$returnurl";
echo "\n<script language='Javascript'>top.restoreSession();window.location='$address';</script>\n";
exit;
}
function formFetch ($tableName, $id, $cols="*", $activity="1")
{
// Run through escape_table_name() function to support dynamic form names in addition to mitigate sql table casing issues.
return sqlQuery ( "select $cols from `" . escape_table_name($tableName) . "` where id=? and pid = ? and activity like ? order by date DESC LIMIT 0,1", array($id,$GLOBALS['pid'],$activity) ) ;
}
function formGetIds ($tableName, $cols = "*", $limit='all', $start=0, $activity = "1")
{
if($limit == "all")
{
// Run through escape_table_name() function to support dynamic form names in addition to mitigate sql table casing issues.
$sql = "select $cols from `" . escape_table_name($tableName) . "` where pid like '$pid' ";
if ($activity != "all")
$sql .= "and activity like '$activity' ";
$sql .= "order by date DESC";
}
else
{
$sql = "select $cols from pnotes where pid like '$pid' ";
$sql .= " AND deleted != 1 "; // exclude ALL deleted notes
if ($activity != "all")
$sql .= "and activity like '$activity' ";
$sql .= "order by date DESC LIMIT $start, $limit";
}
$res = sqlStatement($sql);
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$all[$iter] = $row;
return $all;
}
function formDisappear ($tableName, $id)
{
// Run through escape_table_name() function to support dynamic form names in addition to mitigate sql table casing issues.
if (sqlStatement("update `" . escape_table_name($tableName) . "` set activity = '0' where id='$id' and pid='$pid'")) return true;
return false;
}
function formReappear ($tableName, $id)
{
// Run through escape_table_name() function to support dynamic form names in addition to mitigate sql table casing issues.
if (sqlStatement("update `" . escape_table_name($tableName) . "` set activity = '1' where id='$id' and pid='$pid'")) return true;
return false;
}
?>