diff --git a/interface/main/left_nav.php b/interface/main/left_nav.php index 315610855b9..ec4fd8c5468 100644 --- a/interface/main/left_nav.php +++ b/interface/main/left_nav.php @@ -40,7 +40,6 @@ // * interface/patient_file/history/history_full.php: target changes. // * interface/patient_file/history/history_save.php: target change. // * interface/patient_file/history/encounters.php: link/target changes. - // * interface/patient_file/history/encounters_full.php: link/target changes. // * interface/patient_file/encounter/encounter_top.php: another new frameset // cloned from patient_encounter.php. // * interface/patient_file/encounter/forms.php: link target removal. diff --git a/interface/patient_file/history/edit_billnote.php b/interface/patient_file/history/edit_billnote.php index 77394da24b0..0b2c54f854e 100644 --- a/interface/patient_file/history/edit_billnote.php +++ b/interface/patient_file/history/edit_billnote.php @@ -6,6 +6,14 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// + include_once("../../globals.php"); include_once("$srcdir/log.inc"); include_once("$srcdir/acl.inc"); @@ -15,7 +23,7 @@ $info_msg = ""; $thisauth = (acl_check('acct', 'bill') == 'write'); - if (! $thisauth) die(xl('Not authorized')); + if (! $thisauth) die(htmlspecialchars(xl('Not authorized'),ENT_NOQUOTES)); ?> @@ -30,16 +38,18 @@ ", $fenote); $fenote = str_replace("\n" , "
", $fenote); if (! $fenote) $fenote = '['. xl('Add') . ']'; @@ -50,18 +60,18 @@ } $tmp = sqlQuery("SELECT billing_note FROM form_encounter " . - " WHERE id = '$feid'"); + " WHERE id = ?", array($feid) ); $fenote = $tmp['billing_note']; ?> -
+
- +

- /> +' />    - /> +' />

diff --git a/interface/patient_file/history/encounters.php b/interface/patient_file/history/encounters.php index 17fd53534a5..397a1d7aa10 100644 --- a/interface/patient_file/history/encounters.php +++ b/interface/patient_file/history/encounters.php @@ -4,6 +4,14 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// + require_once("../../globals.php"); require_once("$srcdir/forms.inc"); require_once("$srcdir/billing.inc"); @@ -15,6 +23,7 @@ require_once("$srcdir/invoice_summary.inc.php"); require_once("$srcdir/formatting.inc.php"); require_once("../../../custom/code_types.inc.php"); +require_once("$srcdir/formdata.inc.php"); $accounting_enabled = $GLOBALS['oer_config']['ws_accounting']['enabled']; $INTEGRATED_AR = $accounting_enabled === 2; @@ -37,7 +46,7 @@ if (!($auth_notes_a || $auth_notes || $auth_coding_a || $auth_coding || $auth_med || $auth_relaxed)) { echo "\n\n"; - echo "

(".xl('Encounters not authorized').")

\n"; + echo "

(".htmlspecialchars( xl('Encounters not authorized'), ENT_NOQUOTES).")

\n"; echo "\n\n"; exit(); } @@ -45,7 +54,7 @@ // Perhaps the view choice should be saved as a session variable. // $tmp = sqlQuery("select authorized from users " . - "where id = '" . $_SESSION['authUserID'] . "'"); + "where id = ?", array($_SESSION['authUserID']) ); $billing_view = ($tmp['authorized'] || $GLOBALS['athletic_team']) ? 0 : 1; if (isset($_GET['billing'])) $billing_view = empty($_GET['billing']) ? 0 : 1; @@ -57,32 +66,31 @@ function showDocument(&$drow) { $docdate = $drow['docdate']; - echo "\n"; + echo "\n"; // show date - echo "" . oeFormatShortDate($docdate) . "\n"; + echo "" . htmlspecialchars( oeFormatShortDate($docdate), ENT_NOQUOTES) . "\n"; // show associated issue, if any echo ""; if ($auth_med) { $irow = sqlQuery("SELECT type, title, begdate " . "FROM lists WHERE " . - "id = '" . $drow['list_id'] . "' " . - "LIMIT 1"); + "id = ? " . + "LIMIT 1", array($drow['list_id']) ); if ($irow) { $tcode = $irow['type']; if ($ISSUE_TYPES[$tcode]) $tcode = $ISSUE_TYPES[$tcode][2]; - echo "$tcode: " . $irow['title']; + echo htmlspecialchars("$tcode: " . $irow['title'], ENT_NOQUOTES); } } else { - echo "(" . xl('No access') . ")"; + echo "(" . htmlspecialchars( xl('No access'), ENT_NOQUOTES) . ")"; } echo "\n"; // show document name and category echo "". - xl('Document') . ": " . - basename($drow['url']) . ' (' . xl_document_category($drow['name']) . ')' . + htmlspecialchars( xl('Document') . ": " . basename($drow['url']) . ' (' . xl_document_category($drow['name']) . ')', ENT_NOQUOTES) . "\n"; // skip billing and insurance columns @@ -145,7 +153,7 @@ function editNote(feid) { // Called when the billing note editor closes. function closeNote(feid, fenote) { - var c = "
' class='text billing_note_text'>" + + var c = "
' class='text billing_note_text'>" + fenote + "
"; setDivContent('note_' + feid, c); } @@ -162,41 +170,41 @@ function closeNote(feid, fenote) { - +    -() +() -() +()
- + - + - - - + + + - - - - - + + + + + - + - + @@ -207,8 +215,8 @@ function closeNote(feid, fenote) { // Query the documents for this patient. $dres = sqlStatement("SELECT d.id, d.type, d.url, d.docdate, d.list_id, c.name " . "FROM documents AS d, categories_to_documents AS cd, categories AS c WHERE " . - "d.foreign_id = '$pid' AND cd.document_id = d.id AND c.id = cd.category_id " . - "ORDER BY d.docdate DESC, d.id DESC"); + "d.foreign_id = ? AND cd.document_id = d.id AND c.id = cd.category_id " . + "ORDER BY d.docdate DESC, d.id DESC", array($pid) ); $drow = sqlFetchArray($dres); } @@ -239,27 +247,27 @@ function closeNote(feid, fenote) { if ($result4 = sqlQuery("SELECT fe.*, u.fname, u.mname, u.lname " . "FROM form_encounter AS fe " . "LEFT JOIN users AS u ON u.id = fe.provider_id " . - "WHERE fe.encounter = '" . $iter["encounter"] . - "' AND fe.pid = '$pid'")) + "WHERE fe.encounter = ? " . + "AND fe.pid = ?", array($iter["encounter"],$pid) )) { $raw_encounter_date = date("Y-m-d", strtotime($result4{"date"})); $encounter_date = date("D F jS", strtotime($result4{"date"})); // if ($auth_notes_a || ($auth_notes && $iter['user'] == $_SESSION['authUser'])) - $reason_string .= $result4{"reason"} . "
\n"; + $reason_string .= htmlspecialchars( $result4{"reason"}, ENT_NOQUOTES) . "
\n"; // else // $reason_string = "(No access)"; if ($result4['sensitivity']) { $auth_sensitivity = acl_check('sensitivities', $result4['sensitivity']); if (!$auth_sensitivity) { - $reason_string = "(No access)"; + $reason_string = "(".htmlspecialchars( xl("No access"), ENT_NOQUOTES).")"; } } } - $erow = sqlQuery("SELECT user FROM forms WHERE encounter = '" . - $iter['encounter'] . "' AND formdir = 'newpatient' LIMIT 1"); + $erow = sqlQuery("SELECT user FROM forms WHERE encounter = ? " . + "AND formdir = 'newpatient' LIMIT 1", array($iter['encounter']) ); // This generates document lines as appropriate for the date order. while ($drow && $raw_encounter_date && $drow['docdate'] > $raw_encounter_date) { @@ -279,20 +287,21 @@ function closeNote(feid, fenote) { } $rawdata = $iter['encounter'] . "~" . oeFormatShortDate($raw_encounter_date); - echo "\n"; + echo "\n"; // show encounter date - echo "\n"; + echo "\n"; if ($billing_view) { // Show billing note that you can click on to edit. - $feid = $result4['id'] ? $result4['id'] : 0; // form_encounter id + $feid = $result4['id'] ? htmlspecialchars( $result4['id'], ENT_QUOTES) : 0; // form_encounter id echo "\n"; @@ -306,19 +315,19 @@ function closeNote(feid, fenote) { if ($auth_med && $auth_sensitivity) { $ires = sqlStatement("SELECT lists.type, lists.title, lists.begdate " . "FROM issue_encounter, lists WHERE " . - "issue_encounter.pid = '$pid' AND " . - "issue_encounter.encounter = '" . $iter['encounter'] . "' AND " . + "issue_encounter.pid = ? AND " . + "issue_encounter.encounter = ? AND " . "lists.id = issue_encounter.list_id " . - "ORDER BY lists.type, lists.begdate"); + "ORDER BY lists.type, lists.begdate", array($pid,$iter['encounter']) ); for ($i = 0; $irow = sqlFetchArray($ires); ++$i) { if ($i > 0) echo "
"; $tcode = $irow['type']; if ($ISSUE_TYPES[$tcode]) $tcode = $ISSUE_TYPES[$tcode][2]; - echo "$tcode: " . $irow['title']; + echo htmlspecialchars( "$tcode: " . $irow['title'], ENT_NOQUOTES); } } else { - echo "(" . xl('No access') . ")"; + echo "(" . htmlspecialchars( xl('No access'), ENT_NOQUOTES) . ")"; } echo "\n"; @@ -351,8 +360,8 @@ function closeNote(feid, fenote) { // if ($GLOBALS['athletic_team']) { if ($enc['formdir'] != 'physical_exam' && substr($enc['formdir'],0,3) != 'LBF') { - $frow = sqlQuery("select * from form_" . $enc['formdir'] . - " where id = " . $enc['form_id']); + $frow = sqlQuery("select * from form_" . add_escape_custom($enc['formdir']) . + " where id = ?", array($enc['form_id']) ); foreach ($frow as $fkey => $fvalue) { if (! preg_match('/[A-Za-z]/', $fvalue)) continue; if ($title) $title .= "; "; @@ -363,7 +372,7 @@ function closeNote(feid, fenote) { } // end athletic team echo ""; - echo xl_form_title($enc['form_name']); + echo htmlspecialchars( xl_form_title($enc['form_name']), ENT_NOQUOTES); echo "
"; } // end encounter Forms loop @@ -374,9 +383,9 @@ function closeNote(feid, fenote) { // show user (Provider) for the encounter $provname = ' '; if (!empty($result4['lname']) || !empty($result4['fname'])) { - $provname = $result4['lname']; + $provname = htmlspecialchars( $result4['lname'], ENT_NOQUOTES); if (!empty($result4['fname']) || !empty($result4['mname'])) - $provname .= ', ' . $result4['fname'] . ' ' . $result4['mname']; + $provname .= htmlspecialchars( ', ' . $result4['fname'] . ' ' . $result4['mname'], ENT_NOQUOTES); } echo "\n"; @@ -401,7 +410,7 @@ function closeNote(feid, fenote) { if ($billing_view && $accounting_enabled) { if ($INTEGRATED_AR) { $tmp = sqlQuery("SELECT id FROM form_encounter WHERE " . - "pid = '$pid' AND encounter = '" . $iter['encounter'] . "'"); + "pid = ? AND encounter = ?", array($pid,$iter['encounter']) ); $arid = 0 + $tmp['id']; if ($arid) $arinvoice = ar_get_invoice_summary($pid, $iter['encounter'], true); } @@ -411,7 +420,8 @@ function closeNote(feid, fenote) { if ($arid) $arinvoice = get_invoice_summary($arid, true); } if ($arid) { - $arlinkbeg = ""; $arlinkend = ""; } @@ -421,9 +431,9 @@ function closeNote(feid, fenote) { $query = "SELECT s.drug_id, s.fee, d.name " . "FROM drug_sales AS s " . "LEFT JOIN drugs AS d ON d.drug_id = s.drug_id " . - "WHERE s.pid = '$pid' AND s.encounter = '{$iter['encounter']}' " . + "WHERE s.pid = ? AND s.encounter = ? " . "ORDER BY s.sale_id"; - $sres = sqlStatement($query); + $sres = sqlStatement($query, array($pid,$iter['encounter']) ); while ($srow = sqlFetchArray($sres)) { $subresult2[] = array('code_type' => 'PROD', 'code' => 'PROD:' . $srow['drug_id'], 'modifier' => '', @@ -436,7 +446,7 @@ function closeNote(feid, fenote) { // Next 2 lines were to skip diagnoses, but that seems unpopular. // if ($iter2['code_type'] != 'COPAY' && // !$code_types[$iter2['code_type']]['fee']) continue; - $title = addslashes($iter2['code_text']); + $title = htmlspecialchars( ($iter2['code_text']), ENT_QUOTES); $codekey = $iter2['code']; if ($iter2['code_type'] == 'COPAY') $codekey = 'CO-PAY'; if ($iter2['modifier']) $codekey .= ':' . $iter2['modifier']; @@ -444,7 +454,7 @@ function closeNote(feid, fenote) { // $binfo[0] .= "". $binfo[0] .= "". //onmouseover='ttshow(this,\"$title\")' onmouseout='tthide()'>" . - $arlinkbeg . ($codekey == 'CO-PAY' ? xl($codekey) : $codekey) . + $arlinkbeg . htmlspecialchars( ($codekey == 'CO-PAY' ? xl($codekey) : $codekey), ENT_NOQUOTES) . $arlinkend . ""; if ($billing_view && $accounting_enabled) { if ($binfo[1]) { @@ -453,15 +463,15 @@ function closeNote(feid, fenote) { if (empty($arinvoice[$codekey])) { // If no invoice, show the fee. if ($arlinkbeg) $binfo[1] .= ' '; - else $binfo[1] .= oeFormatMoney($iter2['fee']); + else $binfo[1] .= htmlspecialchars( oeFormatMoney($iter2['fee']), ENT_NOQUOTES); for ($i = 2; $i < 5; ++$i) $binfo[$i] .= ' '; } else { - $binfo[1] .= oeFormatMoney($arinvoice[$codekey]['chg'] + $arinvoice[$codekey]['adj']); - $binfo[2] .= oeFormatMoney($arinvoice[$codekey]['chg'] - $arinvoice[$codekey]['bal']); - $binfo[3] .= oeFormatMoney($arinvoice[$codekey]['adj']); - $binfo[4] .= oeFormatMoney($arinvoice[$codekey]['bal']); + $binfo[1] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['chg'] + $arinvoice[$codekey]['adj']), ENT_NOQUOTES); + $binfo[2] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['chg'] - $arinvoice[$codekey]['bal']), ENT_NOQUOTES); + $binfo[3] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['adj']), ENT_NOQUOTES); + $binfo[4] .= htmlspecialchars( oeFormatMoney($arinvoice[$codekey]['bal']), ENT_NOQUOTES); unset($arinvoice[$codekey]); } } @@ -475,11 +485,11 @@ function closeNote(feid, fenote) { for ($i = 0; $i < 5; ++$i) $binfo[$i] .= '
'; } for ($i = 0; $i < 5; ++$i) $binfo[$i] .= ""; - $binfo[0] .= $codekey; - $binfo[1] .= oeFormatMoney($val['chg'] + $val['adj']); - $binfo[2] .= oeFormatMoney($val['chg'] - $val['bal']); - $binfo[3] .= oeFormatMoney($val['adj']); - $binfo[4] .= oeFormatMoney($val['bal']); + $binfo[0] .= htmlspecialchars( $codekey, ENT_NOQUOTES); + $binfo[1] .= htmlspecialchars( oeFormatMoney($val['chg'] + $val['adj']), ENT_NOQUOTES); + $binfo[2] .= htmlspecialchars( oeFormatMoney($val['chg'] - $val['bal']), ENT_NOQUOTES); + $binfo[3] .= htmlspecialchars( oeFormatMoney($val['adj']), ENT_NOQUOTES); + $binfo[4] .= htmlspecialchars( oeFormatMoney($val['bal']), ENT_NOQUOTES); for ($i = 0; $i < 5; ++$i) $binfo[$i] .= ""; } } @@ -492,7 +502,7 @@ function closeNote(feid, fenote) { } // end if authorized else { - echo "\n"; + echo "\n"; } // show insurance @@ -510,28 +520,28 @@ function closeNote(feid, fenote) { $subresult5 = getInsuranceDataByDate($pid, $raw_encounter_date, "primary"); if ($subresult5 && $subresult5{"provider_name"}) { $style = $responsible == 1 ? " style='color:red'" : ""; - $insured = " " . xl('Primary') . ": " . - $subresult5{"provider_name"} . "
\n"; + $insured = " " . htmlspecialchars( xl('Primary'), ENT_NOQUOTES) . ": " . + htmlspecialchars( $subresult5{"provider_name"}, ENT_NOQUOTES) . "
\n"; } $subresult6 = getInsuranceDataByDate($pid, $raw_encounter_date, "secondary"); if ($subresult6 && $subresult6{"provider_name"}) { $style = $responsible == 2 ? " style='color:red'" : ""; - $insured .= " " . xl('Secondary') . ": " . - $subresult6{"provider_name"} . "
\n"; + $insured .= " " . htmlspecialchars( xl('Secondary'), ENT_NOQUOTES) . ": " . + htmlspecialchars( $subresult6{"provider_name"}, ENT_NOQUOTES) . "
\n"; } $subresult7 = getInsuranceDataByDate($pid, $raw_encounter_date, "tertiary"); if ($subresult6 && $subresult7{"provider_name"}) { $style = $responsible == 3 ? " style='color:red'" : ""; - $insured .= " " . xl('Tertiary') . ": " . - $subresult7{"provider_name"} . "
\n"; + $insured .= " " . htmlspecialchars( xl('Tertiary'), ENT_NOQUOTES) . ": " . + htmlspecialchars( $subresult7{"provider_name"}, ENT_NOQUOTES) . "
\n"; } if ($responsible == 0) { - $insured .= " " . xl('Patient') . + $insured .= " " . htmlspecialchars( xl('Patient'), ENT_NOQUOTES) . "
\n"; } } else { - $insured = " (No access)"; + $insured = " (".htmlspecialchars( xl("No access"), ENT_NOQUOTES).")"; } echo "\n"; diff --git a/interface/patient_file/history/encounters_full.php b/interface/patient_file/history/encounters_full.php deleted file mode 100644 index 24103f164ba..00000000000 --- a/interface/patient_file/history/encounters_full.php +++ /dev/null @@ -1,223 +0,0 @@ -\n\n"; - echo "

(".xl('Encounters not authorized').")

\n"; - echo "\n\n"; - exit(); - } -?> - - - - - - - - - - - - - - - -
- -
  
" . oeFormatShortDate($raw_encounter_date) . "" . htmlspecialchars( oeFormatShortDate($raw_encounter_date), ENT_NOQUOTES) . ""; echo "
"; //echo "
"; - echo "
"; - echo $result4['billing_note'] ? nl2br($result4['billing_note']) : xl('Add','','[',']'); + echo "
"; + echo $result4['billing_note'] ? nl2br(htmlspecialchars( $result4['billing_note'], ENT_NOQUOTES)) : htmlspecialchars( xl('Add','','[',']'), ENT_NOQUOTES); echo "
"; echo "
"; echo "
$provname(No access)(".htmlspecialchars( xl("No access"), ENT_NOQUOTES).")".$insured."
- - - - - - - - - - - -"; // TBD: include target=Main ? - $linkend = ""; - if ($result4 = sqlQuery("select * from form_encounter where encounter='" . - $iter{"encounter"} . "' and pid='$pid'")) - { - $raw_encounter_date = date("Y-m-d", strtotime($result4{"date"})); - $encounter_date = date("D F jS", strtotime($result4{"date"})); - - // if ($auth_notes_a || ($auth_notes && $iter['user'] == $_SESSION['authUser'])) - $reason_string .= $result4{"reason"} . "
\n"; - // else - // $reason_string = "(No access)"; - - $href = "javascript:window.toencounter(" . $iter['encounter'] . ",\"$raw_encounter_date\")"; - $linkbeg = ""; - - if ($result4['sensitivity']) { - $auth_sensitivity = acl_check('sensitivities', $result4['sensitivity']); - if (!$auth_sensitivity) { - $reason_string = "(No access)"; - $linkbeg = ""; - $linkend = ""; - } - } - } - - $erow = sqlQuery("SELECT user FROM forms WHERE encounter = '" . - $iter['encounter'] . "' AND formdir = 'newpatient' LIMIT 1"); - - print "\n"; - - // show encounter date - echo "\n"; - - // show issues for this encounter - echo "\n"; - - // show encounter reason - echo "\n"; - - //this is where we print out the text of the billing that occurred on this encounter - $thisauth = $auth_coding_a; - if (!$thisauth && $auth_coding) { - if ($erow['user'] == $_SESSION['authUser']) - $thisauth = $auth_coding; - } - $coded = ""; - if ($thisauth && $auth_sensitivity) { - if ($subresult2 = getBillingByEncounter($pid, $iter{"encounter"})) { - foreach ($subresult2 as $iter2) { - $coded .= ""; - $coded .= $iter2{"code"} . ", "; - } - $coded = substr($coded, 0, strlen($coded) - 2); - } - } else { - $coded = "(No access)"; - } - echo "\n"; - - // show provider - echo "\n"; - - // Show insurance. - if (!$GLOBALS['athletic_team']) { - $insured = "$raw_encounter_date"; - if ($auth_demo) { - $subresult5 = getInsuranceDataByDate($pid, $raw_encounter_date, "primary"); - if ($subresult5 && $subresult5{"provider_name"}) { - $insured = "".xl('Primary').": " . $subresult5{"provider_name"} . "
\n"; - } - $subresult6 = getInsuranceDataByDate($pid, $raw_encounter_date, "secondary"); - if ($subresult6 && $subresult6{"provider_name"}) { - $insured .= "".xl('Secondary').": ".$subresult6{"provider_name"}."
\n"; - } - $subresult7 = getInsuranceDataByDate($pid, $raw_encounter_date, "tertiary"); - if ($subresult6 && $subresult7{"provider_name"}) { - $insured .= "".xl('Tertiary').": ".$subresult7{"provider_name"}."
\n"; - } - } else { - $insured = "(No access)"; - } - echo "\n"; - } - - print "\n"; - - // Now show a line for each encounter form, if the user is authorized to - // see this encounter's notes. - // - if ($auth_sensitivity && ($auth_notes_a || ($auth_notes && $iter['user'] == $_SESSION['authUser']))) { - $encarr = getFormByEncounter($pid, $iter['encounter'], "formdir, user, form_name, form_id"); - foreach ($encarr as $enc) { - if ($enc['formdir'] == 'newpatient') continue; - $title = ""; - $frow = sqlQuery("select * from form_" . $enc['formdir'] . - " where id = " . $enc['form_id']); - foreach ($frow as $fkey => $fvalue) { - if (! preg_match('/[A-Za-z]/', $fvalue)) continue; - if ($title) $title .= "; "; - $title .= strtoupper($fkey) . ': ' . $fvalue; - } - $title = htmlspecialchars(strtr($title, "\t\n\r", " "), ENT_QUOTES); - - echo "\n"; - echo " \n"; - echo " \n"; - echo " \n"; - echo "\n"; - } // end foreach $encarr - } // end if - - } -} - -?> - -
$linkbeg" . - $raw_encounter_date . "$linkend$linkbeg"; - if ($auth_med && $auth_sensitivity) { - $ires = sqlStatement("SELECT lists.type, lists.title, lists.begdate " . - "FROM issue_encounter, lists WHERE " . - "issue_encounter.pid = '$pid' AND " . - "issue_encounter.encounter = '" . $iter['encounter'] . "' AND " . - "lists.id = issue_encounter.list_id " . - "ORDER BY lists.type, lists.begdate"); - for ($i = 0; $irow = sqlFetchArray($ires); ++$i) { - if ($i > 0) echo "
"; - $tcode = $irow['type']; - if ($ISSUE_TYPES[$tcode]) $tcode = $ISSUE_TYPES[$tcode][2]; - echo "$tcode: " . $irow['title']; - } - } else { - echo "(".xl('No access').")"; - } - echo "$linkend		$linkbeg" . - $reason_string . "$linkend$linkbeg" . - $coded . "$linkend$linkbeg" . - $erow['user'] . "$linkend$linkbeg" . - $insured . "
$linkbeg" . - "   " . - $enc['form_name'] . "$linkend$linkbeg" . - $enc['user'] . "$linkend
- - - diff --git a/interface/patient_file/history/history.php b/interface/patient_file/history/history.php index a85624c6807..fdf10e0e2d2 100644 --- a/interface/patient_file/history/history.php +++ b/interface/patient_file/history/history.php @@ -1,4 +1,13 @@ (History not authorized)

\n"; + echo "

(".htmlspecialchars(xl('History not authorized'),ENT_NOQUOTES).")

\n"; echo "\n\n"; exit(); } @@ -46,19 +55,19 @@
- +
-  + 
class="css_button" onclick="top.restoreSession()"> - + class="css_button" onclick="top.restoreSession()"> - +

diff --git a/interface/patient_file/history/history_full.php b/interface/patient_file/history/history_full.php index e90fdfc430a..06b764aaa2d 100644 --- a/interface/patient_file/history/history_full.php +++ b/interface/patient_file/history/history_full.php @@ -1,4 +1,13 @@ @@ -115,17 +124,17 @@ function submit_history() {
- +
-   +  
onclick="top.restoreSession(); submit_history();" > - + class="css_button" onclick="top.restoreSession()"> - +
diff --git a/interface/patient_file/history/history_save.php b/interface/patient_file/history/history_save.php index c17dd1c9518..6fbcfdea1ef 100644 --- a/interface/patient_file/history/history_save.php +++ b/interface/patient_file/history/history_save.php @@ -1,4 +1,13 @@ $val) { if ($val == "YYYY-MM-DD") { diff --git a/interface/patient_file/history/patient_history.php b/interface/patient_file/history/patient_history.php index 470f1024203..426c22049a9 100644 --- a/interface/patient_file/history/patient_history.php +++ b/interface/patient_file/history/patient_history.php @@ -1,12 +1,21 @@ - + -<?php xl('Patient History','e'); ?> +<?php echo htmlspecialchars(xl('Patient History'),ENT_NOQUOTES); ?> diff --git a/library/billing.inc b/library/billing.inc index aac4b4d59b1..d0484bcc647 100644 --- a/library/billing.inc +++ b/library/billing.inc @@ -15,7 +15,7 @@ function getBillingByPid ($pid, $cols = "*") function getBillingByEncounter ($pid,$encounter, $cols = "code_type, code, code_text") { - $res = sqlStatement("select $cols from billing where encounter = '$encounter' and pid='$pid' and activity=1 order by code_type, date ASC"); + $res = sqlStatement("select $cols from billing where encounter = ? and pid=? and activity=1 order by code_type, date ASC", array($encounter,$pid) ); for($iter=0; $row=sqlFetchArray($res); $iter++) { @@ -214,4 +214,4 @@ function isEncounterBilled($pid, $encounter) { } return $count ? true : false; } -?> \ No newline at end of file +?> diff --git a/library/forms.inc b/library/forms.inc index 6baba6d20e1..447e1d0faf7 100644 --- a/library/forms.inc +++ b/library/forms.inc @@ -35,14 +35,17 @@ function getFormsByPid ($pid, $cols = "*") function getFormByEncounter($pid,$encounter, $cols="form_id, form_name", $name="") { - $sql = "select $cols from forms where encounter = '$encounter' and pid='$pid' "; + $arraySqlBind = array(); + $sql = "select $cols from forms where encounter = ? and pid=? "; + array_push($arraySqlBind,$encounter,$pid); if(!empty($name)){ - $sql .= "and form_name='" . $name ."' "; + $sql .= "and form_name=? "; + array_push($arraySqlBind,$name); } // This puts vitals first in the list, and newpatient last: $sql .= "ORDER BY FIND_IN_SET(formdir,'vitals') DESC, date DESC"; - $res = sqlStatement($sql); + $res = sqlStatement($sql,$arraySqlBind); for($iter=0; $row=sqlFetchArray($res); $iter++) { @@ -74,9 +77,8 @@ function authorizeForm($id, $authorized = "1") function getEncounters($pid) { - // $res = sqlStatement("select distinct encounter from forms where pid='$pid' order by date desc;"); - $res = sqlStatement("select distinct encounter from form_encounter where pid = '$pid' order by date desc;"); + $res = sqlStatement("select distinct encounter from form_encounter where pid = ? order by date desc;", array($pid) ); for($iter=0; $row=sqlFetchArray($res); $iter++) { diff --git a/library/invoice_summary.inc.php b/library/invoice_summary.inc.php index b190e5ce7ba..bbe175e8c1e 100644 --- a/library/invoice_summary.inc.php +++ b/library/invoice_summary.inc.php @@ -137,8 +137,8 @@ function ar_get_invoice_summary($patient_id, $encounter_id, $with_detail = false $res = sqlStatement("SELECT " . "date, code_type, code, modifier, code_text, fee " . "FROM billing WHERE " . - "pid = '$patient_id' AND encounter = '$encounter_id' AND " . - "activity = 1 AND fee != 0.00 ORDER BY id"); + "pid = ? AND encounter = ? AND " . + "activity = 1 AND fee != 0.00 ORDER BY id", array($patient_id,$encounter_id) ); while ($row = sqlFetchArray($res)) { $amount = sprintf('%01.2f', $row['fee']); @@ -176,9 +176,9 @@ function ar_get_invoice_summary($patient_id, $encounter_id, $with_detail = false $query = "SELECT s.drug_id, s.sale_date, s.fee, s.quantity " . "FROM drug_sales AS s " . "WHERE " . - "s.pid = '$patient_id' AND s.encounter = '$encounter_id' AND s.fee != 0 " . + "s.pid = ? AND s.encounter = ? AND s.fee != 0 " . "ORDER BY s.sale_id"; - $res = sqlStatement($query); + $res = sqlStatement($query, array($patient_id,$encounter_id) ); while ($row = sqlFetchArray($res)) { $amount = sprintf('%01.2f', $row['fee']); $code = 'PROD:' . $row['drug_id']; @@ -203,8 +203,8 @@ function ar_get_invoice_summary($patient_id, $encounter_id, $with_detail = false "FROM ar_activity AS a " . "LEFT OUTER JOIN ar_session AS s ON s.session_id = a.session_id " . "LEFT OUTER JOIN insurance_companies AS i ON i.id = s.payer_id " . - "WHERE a.pid = '$patient_id' AND a.encounter = '$encounter_id' " . - "ORDER BY s.check_date, a.sequence_no"); + "WHERE a.pid = ? AND a.encounter = ? " . + "ORDER BY s.check_date, a.sequence_no", array($patient_id,$encounter_id) ); while ($row = sqlFetchArray($res)) { $code = strtoupper($row['code']); if (! $code) $code = "Unknown"; @@ -265,8 +265,8 @@ function responsible_party($trans_id) { function ar_responsible_party($patient_id, $encounter_id) { $row = sqlQuery("SELECT date, last_level_billed, last_level_closed " . "FROM form_encounter WHERE " . - "pid = '$patient_id' AND encounter = '$encounter_id' " . - "ORDER BY id DESC LIMIT 1"); + "pid = ? AND encounter = ? " . + "ORDER BY id DESC LIMIT 1", array($patient_id,$encounter_id) ); if (empty($row)) return -1; $next_level = $row['last_level_closed'] + 1; if ($next_level <= $row['last_level_billed']) diff --git a/library/options.inc.php b/library/options.inc.php index 3bb85b80cff..9961cac307a 100644 --- a/library/options.inc.php +++ b/library/options.inc.php @@ -36,31 +36,36 @@ function generate_select_list($tag_name, $list_id, $currvalue, $title, $empty_name=' ', $class='', $onchange='') { $s = ''; - $s .= ""; - $s .= " " . - xl('Fix this') . "!"; + $fontTitle = htmlspecialchars( xl('Please choose a valid selection from the list.'), ENT_QUOTES); + $fontText = htmlspecialchars( xl('Fix this'), ENT_NOQUOTES); + $s .= " $fontText!"; } else { $s .= ""; @@ -68,6 +73,8 @@ function generate_select_list($tag_name, $list_id, $currvalue, $title, return $s; } + + function generate_form_field($frow, $currvalue) { global $rootdir, $date_init; @@ -76,6 +83,9 @@ function generate_form_field($frow, $currvalue) { $data_type = $frow['data_type']; $field_id = $frow['field_id']; $list_id = $frow['list_id']; + // escaped variables to use in html + $field_id_esc= htmlspecialchars( $field_id, ENT_QUOTES); + $list_id_esc = htmlspecialchars( $list_id, ENT_QUOTES); // Added 5-09 by BM - Translate description if applicable $description = htmlspecialchars(xl_layout_label($frow['description']), ENT_QUOTES); @@ -108,16 +118,18 @@ function generate_form_field($frow, $currvalue) { // simple text field else if ($data_type == 2) { + $fldlength = htmlspecialchars( $frow['fld_length'], ENT_QUOTES); + $maxlength = htmlspecialchars( $frow['max_length'], ENT_QUOTES); echo " 0) { echo " onkeyup='maskkeyup(this,\"$tmp\")'"; echo " onblur='maskblur(this,\"$tmp\")'"; @@ -127,24 +139,26 @@ function generate_form_field($frow, $currvalue) { // long or multi-line text field else if ($data_type == 3) { + $textCols = htmlspecialchars( $frow['fld_length'], ENT_QUOTES); + $textRows = htmlspecialchars( $frow['max_length'], ENT_QUOTES); echo "" . + " cols='$textCols'" . + " rows='$textRows'>" . $currescaped . ""; } // date else if ($data_type == 4) { - echo "" . "[?]"; + " id='img_$field_id_esc' border='0' alt='[?]' style='cursor:pointer'" . + " title='" . htmlspecialchars( xl('Click here to choose a date'), ENT_QUOTES) . "' />"; $date_init .= " Calendar.setup({inputField:'form_$field_id', ifFormat:'%Y-%m-%d', button:'img_$field_id'});\n"; } @@ -154,11 +168,12 @@ function generate_form_field($frow, $currvalue) { "WHERE active = 1 AND ( info IS NULL OR info NOT LIKE '%Inactive%' ) " . "AND authorized = 1 " . "ORDER BY lname, fname"); - echo ""; + echo ""; while ($urow = sqlFetchArray($ures)) { - $uname = $urow['fname'] . ' ' . $urow['lname']; - echo ""; } @@ -171,11 +186,12 @@ function generate_form_field($frow, $currvalue) { "WHERE active = 1 AND ( info IS NULL OR info NOT LIKE '%Inactive%' ) " . "AND ( authorized = 1 OR ( username = '' AND npi != '' ) ) " . "ORDER BY lname, fname"); - echo ""; + echo ""; while ($urow = sqlFetchArray($ures)) { - $uname = $urow['fname'] . ' ' . $urow['lname']; - echo ""; } @@ -184,30 +200,34 @@ function generate_form_field($frow, $currvalue) { // pharmacy list else if ($data_type == 12) { - echo ""; echo ""; $pres = get_pharmacies(); while ($prow = sqlFetchArray($pres)) { $key = $prow['id']; - echo ""; + $prow['line1'] . ' / ' . $prow['city'], ENT_NOQUOTES); + echo ""; } echo ""; } // squads else if ($data_type == 13) { - echo ""; echo ""; $squads = acl_get_squads(); if ($squads) { foreach ($squads as $key => $value) { - echo "\n"; + echo ">$optionLabel\n"; } } echo ""; @@ -232,30 +252,35 @@ function generate_form_field($frow, $currvalue) { "WHERE active = 1 AND ( info IS NULL OR info NOT LIKE '%Inactive%' ) " . "AND $tmp " . "ORDER BY organization, lname, fname"); - echo ""; + echo ""; while ($urow = sqlFetchArray($ures)) { $uname = $urow['organization']; if (empty($uname) || substr($uname, 0, 1) == '(') { $uname = $urow['lname']; if ($urow['fname']) $uname .= ", " . $urow['fname']; } - echo ""; + echo ">$optionLabel"; } echo ""; } // a billing code (only one of these allowed!) else if ($data_type == 15) { + $fldlength = htmlspecialchars( $frow['fld_length'], ENT_QUOTES); + $maxlength = htmlspecialchars( $frow['max_length'], ENT_QUOTES); echo ""; $tdpct = (int) (100 / $cols); for ($count = 0; $lrow = sqlFetchArray($lres); ++$count) { $option_id = $lrow['option_id']; + $option_id_esc = htmlspecialchars( $option_id, ENT_QUOTES); // if ($count) echo "
"; if ($count % $cols == 0) { if ($count) echo ""; echo ""; } echo ""; - echo "" . xl_list_label($lrow['title']); + echo ">" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES); echo ""; } @@ -291,6 +317,7 @@ function generate_form_field($frow, $currvalue) { echo ""; if ($count > $cols) { // Add some space after multiple rows of checkboxes. + $cols = htmlspecialchars( $cols, ENT_QUOTES); echo ""; } } @@ -307,22 +334,25 @@ function generate_form_field($frow, $currvalue) { } } $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; + $option_id_esc = htmlspecialchars( $option_id, ENT_QUOTES); $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($frow['fld_length']) ? 20 : $frow['fld_length']; // Added 5-09 by BM - Translate label if applicable - echo ""; - + echo ""; + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $maxlength = htmlspecialchars( $maxlength, ENT_QUOTES); + $optionValue = htmlspecialchars( $avalue[$option_id], ENT_QUOTES); echo ""; } echo "
" . xl_list_label($lrow['title']) . " 
" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . " 
"; @@ -340,31 +370,39 @@ function generate_form_field($frow, $currvalue) { $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($frow['fld_length']) ? 20 : $frow['fld_length']; $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo ""; - echo "" . - ""; + echo "" . + ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; + $option_id_esc = htmlspecialchars( $option_id, ENT_QUOTES); $restype = substr($avalue[$option_id], 0, 1); $resnote = substr($avalue[$option_id], 2); // Added 5-09 by BM - Translate label if applicable - echo ""; + echo ""; for ($i = 0; $i < 3; ++$i) { + $inputValue = htmlspecialchars( $i, ENT_QUOTES); echo ""; } + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $maxlength = htmlspecialchars( $maxlength, ENT_QUOTES); + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); echo ""; @@ -377,15 +415,15 @@ function generate_form_field($frow, $currvalue) { // this is read-only! else if ($data_type == 24) { $query = "SELECT title, comments FROM lists WHERE " . - "pid = '" . $GLOBALS['pid'] . "' AND type = 'allergy' AND enddate IS NULL " . + "pid = ? AND type = 'allergy' AND enddate IS NULL " . "ORDER BY begdate"; // echo "\n"; // debugging - $lres = sqlStatement($query); + $lres = sqlStatement($query, array($GLOBALS['pid'])); $count = 0; while ($lrow = sqlFetchArray($lres)) { if ($count++) echo "
"; - echo $lrow['title']; - if ($lrow['comments']) echo ' (' . $lrow['comments'] . ')'; + echo htmlspecialchars( $lrow['title'], ENT_NOQUOTES); + if ($lrow['comments']) echo ' (' . htmlspecialchars( $lrow['comments'], ENT_NOQUOTES) . ')'; } } @@ -401,22 +439,27 @@ function generate_form_field($frow, $currvalue) { $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($frow['fld_length']) ? 20 : $frow['fld_length']; $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo "
 " . xl('N/A') . - " " . xl('Nor') . " " . xl('Abn') . " " . - xl('Date/Notes') . "
 " . + htmlspecialchars( xl('N/A'), ENT_NOQUOTES) . + " " . + htmlspecialchars( xl('Nor'), ENT_NOQUOTES) . " " . + htmlspecialchars( xl('Abn'), ENT_NOQUOTES) . " " . + htmlspecialchars( xl('Date/Notes'), ENT_NOQUOTES) . "
" . xl_list_label($lrow['title']) . " 
" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . " 
"; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; + $option_id_esc = htmlspecialchars( $option_id, ENT_QUOTES); $restype = substr($avalue[$option_id], 0, 1); $resnote = substr($avalue[$option_id], 2); // Added 5-09 by BM - Translate label if applicable - echo ""; + echo ""; - echo ""; + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $maxlength = htmlspecialchars( $maxlength, ENT_QUOTES); + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); echo ""; @@ -427,13 +470,14 @@ function generate_form_field($frow, $currvalue) { // single-selection list with ability to add to it else if ($data_type == 26) { - echo ""; + if ($showEmpty) echo ""; $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); $got_selected = FALSE; while ($lrow = sqlFetchArray($lres)) { - echo "\n"; + echo ">" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . "\n"; } if (!$got_selected && strlen($currvalue) > 0) { echo ""; echo ""; - echo " " . xl('Fix this') . "!"; + $fontTitle = htmlspecialchars( xl('Please choose a valid selection from the list.'), ENT_NOQUOTES); + $fontText = htmlspecialchars( xl('Fix this'), ENT_NOQUOTES); + echo " $fontText!"; } else { echo ""; } // show the add button if user has access to correct list - $outputAddButton = ""; + $inputValue = htmlspecialchars( xl('Add'), ENT_QUOTES); + $outputAddButton = ""; if (aco_exist('lists', $list_id)) { // a specific aco exist for this list, so ensure access if (acl_check('lists', $list_id)) echo $outputAddButton; @@ -468,37 +515,41 @@ function generate_form_field($frow, $currvalue) { // In this special case, fld_length is the number of columns generated. $cols = max(1, $frow['fld_length']); $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo "
" . xl_list_label($lrow['title']) . " 
" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . "  
"; $tdpct = (int) (100 / $cols); $got_selected = FALSE; for ($count = 0; $lrow = sqlFetchArray($lres); ++$count) { $option_id = $lrow['option_id']; + $option_id_esc = htmlspecialchars( $option_id, ENT_QUOTES); if ($count % $cols == 0) { if ($count) echo ""; echo ""; } echo ""; } if ($count) { echo ""; if ($count > $cols) { // Add some space after multiple rows of radio buttons. + $cols = htmlspecialchars( $cols, ENT_QUOTES); echo ""; } } echo "
"; - echo " 0 && $option_id == $currvalue)) { echo " checked"; $got_selected = TRUE; } - echo ">" . xl_list_label($lrow['title']); + echo ">" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES); echo "
"; if (!$got_selected && strlen($currvalue) > 0) { - echo "$currvalue " . xl('Fix this') . "!"; + $fontTitle = htmlspecialchars( xl('Please choose a valid selection.'), ENT_QUOTES); + $fontText = htmlspecialchars( xl('Fix this'), ENT_NOQUOTES); + echo "$currescaped $fontText!"; } } @@ -526,55 +577,58 @@ function generate_form_field($frow, $currvalue) { } $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($frow['fld_length']) ? 20 : $frow['fld_length']; - + + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $maxlength = htmlspecialchars( $maxlength, ENT_QUOTES); + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); + $resdate = htmlspecialchars( $resdate, ENT_QUOTES); echo ""; echo ""; // input text echo ""; - echo ""; + echo ""; // current echo ""; - echo "/>".xl('Current')." "; + echo "/>".htmlspecialchars( xl('Current'), ENT_NOQUOTES)." "; // quit echo ""; + echo "/>".htmlspecialchars( xl('Quit'), ENT_NOQUOTES)." "; // quit date - echo ""; + " id='img_$field_id_esc' border='0' alt='[?]' style='cursor:pointer'" . + " title='" . htmlspecialchars( xl('Click here to choose a date'), ENT_QUOTES) . "' /> "; $date_init .= " Calendar.setup({inputField:'date_$field_id', ifFormat:'%Y-%m-%d', button:'img_$field_id'});\n"; // never echo ""; + echo " />".htmlspecialchars( xl('Never'), ENT_NOQUOTES)." "; // Not Applicable echo ""; + echo " />".htmlspecialchars( xl('N/A'), ENT_QUOTES)." "; echo ""; echo "
     ".xl('Status').":     ".htmlspecialchars( xl('Status'), ENT_NOQUOTES).": ".xl('Current')." ".xl('Quit')." " . "[?] ".xl('Never')." ".xl('N/A')." 
"; } @@ -623,7 +677,7 @@ function generate_print_field($frow, $currvalue) { $tmp = ''; if ($currvalue) { $lrow = sqlQuery("SELECT title FROM list_options " . - "WHERE list_id = '$list_id' AND option_id = '$currvalue'"); + "WHERE list_id = ? AND option_id = ?", array($list_id,$currvalue)); $tmp = xl_list_label($lrow['title']); if (empty($tmp)) $tmp = "($currvalue)"; } @@ -634,7 +688,8 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($tmp === '') $tmp = ' '; + if ($tmp === '') { $tmp = ' '; } + else { $tmp = htmlspecialchars( $tmp, ENT_QUOTES); } echo $tmp; } @@ -653,9 +708,11 @@ function generate_print_field($frow, $currvalue) { // long or multi-line text field else if ($data_type == 3) { + $fldlength = htmlspecialchars( $fld_length, ENT_QUOTES); + $maxlength = htmlspecialchars( $frow['max_length'], ENT_QUOTES); echo "" . + " cols='$fldlength'" . + " rows='$maxlength'>" . $currescaped . ""; } @@ -668,8 +725,9 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($currescaped === '') $currescaped = ' '; - echo oeFormatShortDate($currescaped); + if ($currvalue === '') { $tmp = oeFormatShortDate(' '); } + else { $tmp = htmlspecialchars( oeFormatShortDate($currvalue), ENT_QUOTES); } + echo $tmp; } // provider list @@ -677,7 +735,7 @@ function generate_print_field($frow, $currvalue) { $tmp = ''; if ($currvalue) { $urow = sqlQuery("SELECT fname, lname, specialty FROM users " . - "WHERE id = '$currvalue'"); + "WHERE id = ?", array($currvalue) ); $tmp = ucwords($urow['fname'] . " " . $urow['lname']); if (empty($tmp)) $tmp = "($currvalue)"; } @@ -688,7 +746,8 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($tmp === '') $tmp = ' '; + if ($tmp === '') { $tmp = ' '; } + else { $tmp = htmlspecialchars( $tmp, ENT_QUOTES); } echo $tmp; } @@ -714,7 +773,8 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($tmp === '') $tmp = ' '; + if ($tmp === '') { $tmp = ' '; } + else { $tmp = htmlspecialchars( $tmp, ENT_QUOTES); } echo $tmp; } @@ -739,7 +799,8 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($tmp === '') $tmp = ' '; + if ($tmp === '') { $tmp = ' '; } + else { $tmp = htmlspecialchars( $tmp, ENT_QUOTES); } echo $tmp; } @@ -748,7 +809,7 @@ function generate_print_field($frow, $currvalue) { $tmp = ''; if ($currvalue) { $urow = sqlQuery("SELECT fname, lname, specialty FROM users " . - "WHERE id = '$currvalue'"); + "WHERE id = ?", array($currvalue) ); $uname = $urow['lname']; if ($urow['fname']) $uname .= ", " . $urow['fname']; $tmp = $uname; @@ -761,7 +822,8 @@ function generate_print_field($frow, $currvalue) { " class='under'" . " />"; *****************************************************************/ - if ($tmp === '') $tmp = ' '; + if ($tmp === '') { $tmp = ' '; } + else { $tmp = htmlspecialchars( $tmp, ENT_QUOTES); } echo $tmp; } @@ -771,7 +833,7 @@ function generate_print_field($frow, $currvalue) { $cols = max(1, $fld_length); $avalue = explode('|', $currvalue); $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo ""; $tdpct = (int) (100 / $cols); for ($count = 0; $lrow = sqlFetchArray($lres); ++$count) { @@ -783,13 +845,14 @@ function generate_print_field($frow, $currvalue) { echo ""; } if ($count) { echo ""; if ($count > $cols) { // Add some space after multiple rows of checkboxes. + $cols = htmlspecialchars( $cols, ENT_QUOTES); echo ""; } } @@ -806,16 +869,18 @@ function generate_print_field($frow, $currvalue) { } } $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo "
"; echo "" . xl_list_label($lrow['title']); + echo ">" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES); echo "
"; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($fld_length) ? 20 : $fld_length; - echo ""; - echo ""; + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $inputValue = htmlspecialchars( $avalue[$option_id], ENT_QUOTES); + echo ""; } @@ -834,22 +899,27 @@ function generate_print_field($frow, $currvalue) { $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($fld_length) ? 20 : $fld_length; $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo "
" . xl_list_label($lrow['title']) . " " . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . " 
"; - echo "" . - ""; + echo "" . + ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; $restype = substr($avalue[$option_id], 0, 1); $resnote = substr($avalue[$option_id], 2); - echo ""; + echo ""; for ($i = 0; $i < 3; ++$i) { echo ""; } + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); echo "
 " . xl('N/A') . - " " . xl('Nor') . " " . xl('Abn') . " " . - xl('Date/Notes') . "
 " . + htmlspecialchars( xl('N/A'), ENT_NOQUOTES) . + " " . + htmlspecialchars( xl('Nor'), ENT_NOQUOTES) . " " . + htmlspecialchars( xl('Abn'), ENT_NOQUOTES) . " " . + htmlspecialchars( xl('Date/Notes'), ENT_NOQUOTES) . "
" . xl_list_label($lrow['title']) . " 
" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . " "; - echo $lrow['title']; - if ($lrow['comments']) echo ' (' . $lrow['comments'] . ')'; + echo htmlspecialchars( $lrow['title'], ENT_QUOTES); + if ($lrow['comments']) echo htmlspecialchars( ' (' . $lrow['comments'] . ')', ENT_QUOTES); } } @@ -886,16 +956,18 @@ function generate_print_field($frow, $currvalue) { $maxlength = empty($frow['max_length']) ? 255 : $frow['max_length']; $fldlength = empty($fld_length) ? 20 : $fld_length; $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); echo ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; $restype = substr($avalue[$option_id], 0, 1); $resnote = substr($avalue[$option_id], 2); - echo ""; + echo ""; echo ""; + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); echo ""; } if ($count) { echo ""; if ($count > $cols) { // Add some space after multiple rows of radio buttons. + $cols = htmlspecialchars( $cols, ENT_QUOTES); echo ""; } } @@ -966,19 +1039,22 @@ function generate_print_field($frow, $currvalue) { $fldlength = empty($frow['fld_length']) ? 20 : $frow['fld_length']; echo "
" . xl_list_label($lrow['title']) . " 
" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES) . "  "; $tdpct = (int) (100 / $cols); for ($count = 0; $lrow = sqlFetchArray($lres); ++$count) { @@ -927,13 +999,14 @@ function generate_print_field($frow, $currvalue) { { echo " checked"; } - echo ">" . xl_list_label($lrow['title']); + echo ">" . htmlspecialchars( xl_list_label($lrow['title']), ENT_NOQUOTES); echo "
"; echo ""; - + $fldlength = htmlspecialchars( $fldlength, ENT_QUOTES); + $resnote = htmlspecialchars( $resnote, ENT_QUOTES); + $resdate = htmlspecialchars( $resdate, ENT_QUOTES); echo ""; - echo ""; + echo ""; echo ""; + echo "/>".htmlspecialchars( xl('Current'), ENT_NOQUOTES)." "; echo ""; + echo "/>".htmlspecialchars( xl('Quit'), ENT_NOQUOTES)." "; echo ""; + echo " />".htmlspecialchars( xl('Never'), ENT_NOQUOTES).""; echo ""; + echo " />".htmlspecialchars( xl('N/A'), ENT_NOQUOTES)." "; echo ""; echo "
    ".xl('Status').":     ". + htmlspecialchars( xl('Status'), ENT_NOQUOTES).": ".xl('Current')." ".xl('Quit')." ".xl('Never')."".xl('N/A')." 
"; } @@ -1333,7 +1409,8 @@ function display_layout_rows($formtype, $result1, $result2='') { if ($titlecols > 0) { disp_end_cell(); //echo "		"; $cell_count += $titlecols; @@ -1347,7 +1424,8 @@ function display_layout_rows($formtype, $result1, $result2='') { if ($datacols > 0) { disp_end_cell(); //echo " 0) echo " style='padding-left:5pt'"; echo ">"; $cell_count += $datacols; @@ -1373,7 +1451,8 @@ function display_layout_tabs($formtype, $result1, $result2='') { $group_name = substr($this_group, 1); ?>
  • > - + "> +
    • 0) { disp_end_cell(); - echo "    		"; $cell_count += $titlecols; } @@ -1468,7 +1548,8 @@ function display_layout_tabs_data($formtype, $result1, $result2='') { // Handle starting of a new data cell. if ($datacols > 0) { disp_end_cell(); - echo ""; $cell_count += $datacols; } @@ -1493,13 +1574,14 @@ function display_layout_tabs_data_editable($formtype, $result1, $result2='') { global $item_count, $cell_count, $last_group, $CPR; $fres = sqlStatement("SELECT distinct group_name FROM layout_options " . - "WHERE form_id = '$formtype' AND uor > 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formtype) ); $first = true; while ($frow = sqlFetchArray($fres)) { $this_group = $frow['group_name']; $group_name = substr($this_group, 1); + $group_name_esc = htmlspecialchars( $group_name, ENT_QUOTES); $titlecols = $frow['titlecols']; $datacols = $frow['datacols']; $data_type = $frow['data_type']; @@ -1508,11 +1590,11 @@ function display_layout_tabs_data_editable($formtype, $result1, $result2='') { $currvalue = ''; $group_fields_query = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formtype' AND uor > 0 AND group_name = '$this_group' " . - "ORDER BY seq"); + "WHERE form_id = ? AND uor > 0 AND group_name = ? " . + "ORDER BY seq", array($formtype,$this_group) ); ?> -
    +
    0) { disp_end_cell(); - echo "
    "; $cell_count += $titlecols; } ++$item_count; // Added 5-09 by BM - Translate label if applicable - if ($group_fields['title']) echo (xl_layout_label($group_fields['title']).":"); else echo " "; + if ($group_fields['title']) echo (htmlspecialchars( xl_layout_label($group_fields['title']), ENT_NOQUOTES).":"); else echo " "; // Handle starting of a new data cell. if ($datacols > 0) { disp_end_cell(); - echo ""; $cell_count += $datacols; } @@ -1602,6 +1686,10 @@ function display_layout_tabs_data_editable($formtype, $result1, $result2='') { // field corresponding to the provided layout_options table row. // function get_layout_form_value($frow, $maxlength=255) { + // Bring in $sanitize_all_escapes variable, which will decide + // the variable escaping method. + global $sanitize_all_escapes; + $data_type = $frow['data_type']; $field_id = $frow['field_id']; $value = ''; @@ -1660,19 +1748,27 @@ function get_layout_form_value($frow, $maxlength=255) { // Better to die than to silently truncate data! if ($maxlength && $data_type != 3 && strlen($value) > $maxlength) - die(xl('ERROR: Field') . " '$field_id' " . xl('is too long') . - ":
     
    $value"); + die(htmlspecialchars( xl('ERROR: Field') . " '$field_id' " . xl('is too long'), ENT_NOQUOTES) . + ":
     
    ".htmlspecialchars( $value, ENT_NOQUOTES)); // Make sure the return value is quote-safe. - return formTrim($value); + if ($sanitize_all_escapes) { + //escapes already removed and using binding/placemarks in sql calls + // so only need to trim value + return trim($value); + } + else { + //need to explicitly prepare value + return formTrim($value); + } } // Generate JavaScript validation logic for the required fields. // function generate_layout_validation($form_id) { $fres = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$form_id' AND uor > 0 AND field_id != '' " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 AND field_id != '' " . + "ORDER BY group_name, seq", array($form_id) ); while ($frow = sqlFetchArray($fres)) { if ($frow['uor'] < 2) continue; @@ -1680,7 +1776,7 @@ function generate_layout_validation($form_id) { $field_id = $frow['field_id']; $fldtitle = $frow['title']; if (!$fldtitle) $fldtitle = $frow['description']; - $fldname = "form_$field_id"; + $fldname = htmlspecialchars( "form_$field_id", ENT_QUOTES); switch($data_type) { case 1: case 11: @@ -1691,7 +1787,7 @@ function generate_layout_validation($form_id) { echo " if (f.$fldname.selectedIndex <= 0) {\n" . " if (f.$fldname.focus) f.$fldname.focus();\n" . - " errMsgs[errMsgs.length] = '" . addslashes(xl_layout_label($fldtitle)) . "'; \n" . + " errMsgs[errMsgs.length] = '" . htmlspecialchars( (xl_layout_label($fldtitle)), ENT_QUOTES) . "'; \n" . " }\n"; break; case 27: // radio buttons @@ -1699,7 +1795,7 @@ function generate_layout_validation($form_id) { " var i = 0;\n" . " for (; i < f.$fldname.length; ++i) if (f.$fldname[i].checked) break;\n" . " if (i >= f.$fldname.length) {\n" . - " errMsgs[errMsgs.length] = '" . addslashes(xl_layout_label($fldtitle)) . "'; \n" . + " errMsgs[errMsgs.length] = '" . htmlspecialchars( (xl_layout_label($fldtitle)), ENT_QUOTES) . "'; \n" . " }\n"; break; case 2: @@ -1709,12 +1805,12 @@ function generate_layout_validation($form_id) { echo " if (trimlen(f.$fldname.value) == 0) {\n" . " if (f.$fldname.focus) f.$fldname.focus();\n" . - " $('#form_" . $field_id . "').parents('div.tab').each( function(){ var tabHeader = $('#header_' + $(this).attr('id') ); tabHeader.css('color','red'); } ); " . - " $('#form_" . $field_id . "').attr('style','background:red'); \n" . - " errMsgs[errMsgs.length] = '" . addslashes(xl_layout_label($fldtitle)) . "'; \n" . + " $('#" . $fldname . "').parents('div.tab').each( function(){ var tabHeader = $('#header_' + $(this).attr('id') ); tabHeader.css('color','red'); } ); " . + " $('#" . $fldname . "').attr('style','background:red'); \n" . + " errMsgs[errMsgs.length] = '" . htmlspecialchars( (xl_layout_label($fldtitle)), ENT_QUOTES) . "'; \n" . " } else { " . - " $('#form_" . $field_id . "').attr('style',''); " . - " $('#form_" . $field_id . "').parents('div.tab').each( function(){ var tabHeader = $('#header_' + $(this).attr('id') ); tabHeader.css('color',''); } ); " . + " $('#" . $fldname . "').attr('style',''); " . + " $('#" . $fldname . "').parents('div.tab').each( function(){ var tabHeader = $('#header_' + $(this).attr('id') ); tabHeader.css('color',''); } ); " . " } \n"; break; } diff --git a/library/options_listadd.inc b/library/options_listadd.inc index 44ebd94026c..d6704540f8c 100644 --- a/library/options_listadd.inc +++ b/library/options_listadd.inc @@ -40,10 +40,13 @@ // state form for input box var state = "\
      \ -
      • \ -
    • \ +
    • \ +
      • \ +
    • \ + \
    • \ -
    • \ +
    • \ + \
    • \
    \ " @@ -108,12 +111,12 @@ $(document).ready(function(){ // Don't allow illegal characters (' and " for now) - still developing // First, validate fields common to all forms if ($("#newlistitem_value").val().match(/^\d/)) { - alert(""); + alert(""); $("#newlistitem_value").focus(); return false; } if ($("#newlistitem_value").val().match(/[\'\"]/)) { - alert(""); + alert(""); $("#newlistitem_value").focus(); return false; } @@ -121,12 +124,12 @@ $(document).ready(function(){ if (($("#newlistitem_listid").val() == "state") && (stateCustomFlag)) { // state forms specific validation if ($("#newlistitem_abbr").val().match(/^\d/)) { - alert(""); + alert(""); $("#newlistitem_abbr").focus(); return false; } if ($("#newlistitem_abbr").val().match(/[\'\"]/)) { - alert(""); + alert(""); $("#newlistitem_abbr").focus(); return false; } diff --git a/library/patient.inc b/library/patient.inc index 3fe78b7eed6..0531e613794 100644 --- a/library/patient.inc +++ b/library/patient.inc @@ -289,8 +289,8 @@ function getEthnoRacials() { function getHistoryData($pid, $given = "*") { - $sql = "select $given from history_data where pid='$pid' order by date DESC limit 0,1"; - return sqlQuery($sql); + $sql = "select $given from history_data where pid=? order by date DESC limit 0,1"; + return sqlQuery($sql, array($pid) ); } // function getInsuranceData($pid, $type = "primary", $given = "insd.*, DATE_FORMAT(subscriber_DOB,'%m/%d/%Y') as subscriber_DOB, ic.name as provider_name") @@ -310,9 +310,9 @@ function getInsuranceDataByDate($pid, $date, $type, // but not records enterred after the given date $sql = "select $given from insurance_data as insd " . "left join insurance_companies as ic on ic.id = provider " . - "where pid = '$pid' and date_format(date,'%Y-%m-%d') <= '$date' and " . - "type='$type' order by date DESC limit 1"; - return sqlQuery($sql); + "where pid = ? and date_format(date,'%Y-%m-%d') <= ? and " . + "type=? order by date DESC limit 1"; + return sqlQuery($sql, array($pid,$date,$type) ); } function getEmployerData($pid, $given = "*") @@ -993,14 +993,16 @@ function updateInsuranceData($id, $new) } function newHistoryData($pid, $new=false) { - $sql = "insert into history_data set pid = '$pid', date = NOW()"; + $arraySqlBind = array(); + $sql = "insert into history_data set pid = ?, date = NOW()"; + array_push($arraySqlBind,$pid); if ($new) { while(list($key, $value) = each($new)) { - if (!get_magic_quotes_gpc()) $value = addslashes($value); - $sql .= ", `$key` = '$value'"; + array_push($arraySqlBind,$value); + $sql .= ", `$key` = ?"; } } - return sqlInsert($sql); + return sqlInsert($sql, $arraySqlBind ); } function updateHistoryData($pid,$new) @@ -1008,15 +1010,19 @@ function updateHistoryData($pid,$new) $real = getHistoryData($pid); while(list($key, $value) = each ($new)) $real[$key] = $value; - $real['date'] = "'+NOW()+'"; $real['id'] = ""; - - $sql = "insert into history_data set "; - while(list($key, $value) = each($real)) - $sql .= "`$key` = '$value', "; + // need to unset date, so can reset it below + unset($real['date']); + + $arraySqlBind = array(); + $sql = "insert into history_data set `date` = NOW(), "; + while(list($key, $value) = each($real)) { + array_push($arraySqlBind,$value); + $sql .= "`$key` = ?, "; + } $sql = substr($sql, 0, -2); - return sqlInsert($sql); + return sqlInsert($sql, $arraySqlBind ); } function sync_patient($id,$fname,$lname,$street,$city,$postal_code,$state,$phone_home, diff --git a/library/sl_eob.inc.php b/library/sl_eob.inc.php index 92b79a7777e..d9fb0241cd5 100644 --- a/library/sl_eob.inc.php +++ b/library/sl_eob.inc.php @@ -363,9 +363,9 @@ function arGetPayerID($patient_id, $date_of_service, $payer_type) { $tmp = array(1 => 'primary', 2 => 'secondary', 3 => 'tertiary'); $value = $tmp[$payer_type]; $query = "SELECT provider FROM insurance_data WHERE " . - "pid = '$patient_id' AND type = '$value' AND date <= '$date_of_service' " . + "pid = ? AND type = ? AND date <= ? " . "ORDER BY date DESC LIMIT 1"; - $nprow = sqlQuery($query); + $nprow = sqlQuery($query, array($patient_id,$value,$date_of_service) ); // echo "\n"; // debugging if (empty($nprow)) return 0; return $nprow['provider'];