Alternative to formData()

system · August 13, 2013, 9:53pm

robertdown wrote on Tuesday, August 13, 2013:

Per inline documentation, formData() in formdata.inc.php is deprecated - what should we use, and why was it deprecated?

system · August 14, 2013, 5:39am

bradymiller wrote on Wednesday, August 14, 2013:

Hi,

For new scripts, use the “new” security model:
http://www.open-emr.org/wiki/index.php/Codebase_Security#Plan

For scripts that use the “old” security model (formData), then should keep using formData, although better to use the component functions that build that function (strip_escape_custom() and add_escape_custom) if there is any code manipulation on the variable. The problem that arose with the formData function was doing the magic_quote removal and the sql escaping in the same function confused things (since the magic_quote should be done before variable is used in code and the sql escaping should be done after code (in cases where variable is not simply being inserted into database which is frequent) when variable gets inserted into the database. Note the “new” security model does the magic quote cleansing automatically on all parameters when the scripts load, which is why formData() is not compatible with it (or would “double” cleanse the magic quotes).

Hope this helps to clarify things. This is something you’ll get the hang of quickly after a couple code reviews.

-brady
OpenEMR

juggernautsei · June 26, 2023, 7:46pm

Hi @brady.miller ,
I am trying to figure out why I am getting
There was an OpenEMR SQL Escaping ERROR of the following string:
I dumped, $s, $key, and $ok.
I have attached them. I am using v7.0.0 (2), Ubuntu 20.04.5, Apache 2.4.41, and PHP 7.4.
Do you know how I can fix this?
Where is the $whitelist?

In the formdata.inc.php file,
ok.txt (310 Bytes)
s.txt (8 Bytes)
key.txt (2 Bytes)

brady.miller · June 27, 2023, 4:13am

Is there an empty $s being passed to the function or is there an empty value in the $whitelist_items (if an array) in the array passed to the function?
Where are you seeing this error?
Is there anything after “There was an OpenEMR SQL Escaping ERROR of the following string:” (if nothing, then why i suspect an empty value is getting in there)

juggernautsei · June 27, 2023, 8:08pm

When I turn on the CDR, I get this error message.

There is nothing at the end of String. $s is empty then.
I have not changed the white list. I do not know where the list is.

brady.miller · June 27, 2023, 9:25pm

In this case it is passing a $s which is 2: . The whitelist is usually (not always case) automatically built dependent on what is “escaping”. If escaping a sql table name, then it actually collects all tables and ensure it exists. If escaping a sql column name, then it collects all columns in a table (or tables) and ensure it exists. My guess here is that you have a custom cdr rule that is broken and it looking for a sql table or sql column (called 2:) that does not exist.

brady.miller · June 27, 2023, 9:27pm

btw, deduced $s is 2: since the error comes from the following line:

die("<br /><span style='color:red;font-weight:bold;'>" . xlt("There was an OpenEMR SQL Escaping ERROR of the following string") . " " . text($s) . "</span><br />");

juggernautsei · June 28, 2023, 4:06am

Right, I stuck the 2 in there to show me which error message was being shown.
Where does the system “collect” the column names? How can I find the broken CDR?

Warning to future readers:
If you are working on the clinical reminders and this happens. Delete the clinical reminder that was last built and start over.