diff --git a/interface/main/left_nav.php b/interface/main/left_nav.php index 315610855b9..ec4fd8c5468 100644 --- a/interface/main/left_nav.php +++ b/interface/main/left_nav.php @@ -40,7 +40,6 @@ // * interface/patient_file/history/history_full.php: target changes. // * interface/patient_file/history/history_save.php: target change. // * interface/patient_file/history/encounters.php: link/target changes. - // * interface/patient_file/history/encounters_full.php: link/target changes. // * interface/patient_file/encounter/encounter_top.php: another new frameset // cloned from patient_encounter.php. // * interface/patient_file/encounter/forms.php: link target removal. diff --git a/interface/patient_file/history/edit_billnote.php b/interface/patient_file/history/edit_billnote.php index 77394da24b0..0b2c54f854e 100644 --- a/interface/patient_file/history/edit_billnote.php +++ b/interface/patient_file/history/edit_billnote.php @@ -6,6 +6,14 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// + include_once("../../globals.php"); include_once("$srcdir/log.inc"); include_once("$srcdir/acl.inc"); @@ -15,7 +23,7 @@ $info_msg = ""; $thisauth = (acl_check('acct', 'bill') == 'write'); - if (! $thisauth) die(xl('Not authorized')); + if (! $thisauth) die(htmlspecialchars(xl('Not authorized'),ENT_NOQUOTES)); ?>
@@ -30,16 +38,18 @@ ", $fenote); $fenote = str_replace("\n" , "(".xl('Encounters not authorized').")
\n"; + echo "(".htmlspecialchars( xl('Encounters not authorized'), ENT_NOQUOTES).")
\n"; echo "\n\n"; exit(); } @@ -45,7 +54,7 @@ // Perhaps the view choice should be saved as a session variable. // $tmp = sqlQuery("select authorized from users " . - "where id = '" . $_SESSION['authUserID'] . "'"); + "where id = ?", array($_SESSION['authUserID']) ); $billing_view = ($tmp['authorized'] || $GLOBALS['athletic_team']) ? 0 : 1; if (isset($_GET['billing'])) $billing_view = empty($_GET['billing']) ? 0 : 1; @@ -57,32 +66,31 @@ function showDocument(&$drow) { $docdate = $drow['docdate']; - echo "+ | - | + | - | - | - | + | + | + | - | - | - | - | - | + | + | + | + | + | - | + | - | + | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
" . oeFormatShortDate($raw_encounter_date) . " | \n"; + echo "" . htmlspecialchars( oeFormatShortDate($raw_encounter_date), ENT_NOQUOTES) . " | \n"; if ($billing_view) { // Show billing note that you can click on to edit. - $feid = $result4['id'] ? $result4['id'] : 0; // form_encounter id + $feid = $result4['id'] ? htmlspecialchars( $result4['id'], ENT_QUOTES) : 0; // form_encounter id echo "";
echo " ";
//echo " ";
- echo " ";
- echo $result4['billing_note'] ? nl2br($result4['billing_note']) : xl('Add','','[',']');
+ echo " ";
echo "";
+ echo $result4['billing_note'] ? nl2br(htmlspecialchars( $result4['billing_note'], ENT_NOQUOTES)) : htmlspecialchars( xl('Add','','[',']'), ENT_NOQUOTES);
echo " ";
echo " | \n";
@@ -306,19 +315,19 @@ function closeNote(feid, fenote) {
if ($auth_med && $auth_sensitivity) {
$ires = sqlStatement("SELECT lists.type, lists.title, lists.begdate " .
"FROM issue_encounter, lists WHERE " .
- "issue_encounter.pid = '$pid' AND " .
- "issue_encounter.encounter = '" . $iter['encounter'] . "' AND " .
+ "issue_encounter.pid = ? AND " .
+ "issue_encounter.encounter = ? AND " .
"lists.id = issue_encounter.list_id " .
- "ORDER BY lists.type, lists.begdate");
+ "ORDER BY lists.type, lists.begdate", array($pid,$iter['encounter']) );
for ($i = 0; $irow = sqlFetchArray($ires); ++$i) {
if ($i > 0) echo "$provname | \n"; @@ -401,7 +410,7 @@ function closeNote(feid, fenote) { if ($billing_view && $accounting_enabled) { if ($INTEGRATED_AR) { $tmp = sqlQuery("SELECT id FROM form_encounter WHERE " . - "pid = '$pid' AND encounter = '" . $iter['encounter'] . "'"); + "pid = ? AND encounter = ?", array($pid,$iter['encounter']) ); $arid = 0 + $tmp['id']; if ($arid) $arinvoice = ar_get_invoice_summary($pid, $iter['encounter'], true); } @@ -411,7 +420,8 @@ function closeNote(feid, fenote) { if ($arid) $arinvoice = get_invoice_summary($arid, true); } if ($arid) { - $arlinkbeg = ""; $arlinkend = ""; } @@ -421,9 +431,9 @@ function closeNote(feid, fenote) { $query = "SELECT s.drug_id, s.fee, d.name " . "FROM drug_sales AS s " . "LEFT JOIN drugs AS d ON d.drug_id = s.drug_id " . - "WHERE s.pid = '$pid' AND s.encounter = '{$iter['encounter']}' " . + "WHERE s.pid = ? AND s.encounter = ? " . "ORDER BY s.sale_id"; - $sres = sqlStatement($query); + $sres = sqlStatement($query, array($pid,$iter['encounter']) ); while ($srow = sqlFetchArray($sres)) { $subresult2[] = array('code_type' => 'PROD', 'code' => 'PROD:' . $srow['drug_id'], 'modifier' => '', @@ -436,7 +446,7 @@ function closeNote(feid, fenote) { // Next 2 lines were to skip diagnoses, but that seems unpopular. // if ($iter2['code_type'] != 'COPAY' && // !$code_types[$iter2['code_type']]['fee']) continue; - $title = addslashes($iter2['code_text']); + $title = htmlspecialchars( ($iter2['code_text']), ENT_QUOTES); $codekey = $iter2['code']; if ($iter2['code_type'] == 'COPAY') $codekey = 'CO-PAY'; if ($iter2['modifier']) $codekey .= ':' . $iter2['modifier']; @@ -444,7 +454,7 @@ function closeNote(feid, fenote) { // $binfo[0] .= "". $binfo[0] .= "". //onmouseover='ttshow(this,\"$title\")' onmouseout='tthide()'>" . - $arlinkbeg . ($codekey == 'CO-PAY' ? xl($codekey) : $codekey) . + $arlinkbeg . htmlspecialchars( ($codekey == 'CO-PAY' ? xl($codekey) : $codekey), ENT_NOQUOTES) . $arlinkend . ""; if ($billing_view && $accounting_enabled) { if ($binfo[1]) { @@ -453,15 +463,15 @@ function closeNote(feid, fenote) { if (empty($arinvoice[$codekey])) { // If no invoice, show the fee. if ($arlinkbeg) $binfo[1] .= ' '; - else $binfo[1] .= oeFormatMoney($iter2['fee']); + else $binfo[1] .= htmlspecialchars( oeFormatMoney($iter2['fee']), ENT_NOQUOTES); for ($i = 2; $i < 5; ++$i) $binfo[$i] .= ' '; } else { - $binfo[1] .= oeFormatMoney($arinvoice[$codekey]['chg'] + $arinvoice[$codekey]['adj']); - $binfo[2] .= oeFormatMoney($arinvoice[$codekey]['chg'] - $arinvoice[$codekey]['bal']); - $binfo[3] .= oeFormatMoney($arinvoice[$codekey]['adj']); - $binfo[4] .= oeFormatMoney($arinvoice[$codekey]['bal']); + $binfo[1] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['chg'] + $arinvoice[$codekey]['adj']), ENT_NOQUOTES); + $binfo[2] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['chg'] - $arinvoice[$codekey]['bal']), ENT_NOQUOTES); + $binfo[3] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['adj']), ENT_NOQUOTES); + $binfo[4] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['bal']), ENT_NOQUOTES); unset($arinvoice[$codekey]); } } @@ -475,11 +485,11 @@ function closeNote(feid, fenote) { for ($i = 0; $i < 5; ++$i) $binfo[$i] .= '(No access) | \n"; + echo "(".htmlspecialchars( xl("No access"), ENT_NOQUOTES).") | \n"; } // show insurance @@ -510,28 +520,28 @@ function closeNote(feid, fenote) { $subresult5 = getInsuranceDataByDate($pid, $raw_encounter_date, "primary"); if ($subresult5 && $subresult5{"provider_name"}) { $style = $responsible == 1 ? " style='color:red'" : ""; - $insured = " " . xl('Primary') . ": " . - $subresult5{"provider_name"} . "".$insured." | \n"; diff --git a/interface/patient_file/history/encounters_full.php b/interface/patient_file/history/encounters_full.php deleted file mode 100644 index 24103f164ba..00000000000 --- a/interface/patient_file/history/encounters_full.php +++ /dev/null @@ -1,223 +0,0 @@ -\n\n"; - echo "