diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php index 46710771e56..daeeb915ea5 100644 --- a/interface/patient_file/summary/demographics.php +++ b/interface/patient_file/summary/demographics.php @@ -4,6 +4,14 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// + require_once("../../globals.php"); require_once("$srcdir/patient.inc"); require_once("$srcdir/acl.inc"); @@ -56,7 +64,7 @@ function print_as_money($money) { } //Visolve - sync the radio buttons - End - var mypcc = ''; + var mypcc = ''; function oldEvt(eventid) { dlgopen('../../main/calendar/add_edit_event.php?eid=' + eventid, '_blank', 550, 270); @@ -73,7 +81,7 @@ function refreshme() { // Process click on Delete link. function deleteme() { - dlgopen('../deleter.php?patient=', '_blank', 500, 450); + dlgopen('../deleter.php?patient=', '_blank', 500, 450); return false; } @@ -93,11 +101,11 @@ function validate() { if ($GLOBALS['athletic_team']) { echo " if (f.form_userdate1.value != f.form_original_userdate1.value) {\n"; $irow = sqlQuery("SELECT id, title FROM lists WHERE " . - "pid = '$pid' AND enddate IS NULL ORDER BY begdate DESC LIMIT 1"); + "pid = ? AND enddate IS NULL ORDER BY begdate DESC LIMIT 1", array($pid)); if (!empty($irow)) { ?> - if (confirm('Do you wish to also set this new return date in the issue titled ""?')) { - f.form_issue_id.value = ''; + if (confirm('Do you wish to also set this new return date in the issue titled ""?')) { + f.form_issue_id.value = ''; } else { alert('OK, you will need to manually update the return date in any affected issue(s).'); } @@ -112,7 +120,7 @@ function validate() { } function newEvt() { - dlgopen('../../main/calendar/add_edit_event.php?patientid=', '_blank', 550, 270); + dlgopen('../../main/calendar/add_edit_event.php?patientid=', '_blank', 550, 270); return false; } @@ -130,11 +138,11 @@ function sendimage(pid, what) { function toggle( target, div ) { $mode = $(target).find(".indicator").text(); - if ( $mode == "" ) { - $(target).find(".indicator").text( "" ); + if ( $mode == "" ) { + $(target).find(".indicator").text( "" ); $(div).hide(); } else { - $(target).find(".indicator").text( "" ); + $(target).find(".indicator").text( "" ); $(div).show(); } @@ -225,7 +233,7 @@ function toggle( target, div ) { } if (!$thisauth) { - echo "

(" . xl('Demographics not authorized') . ")

\n"; + echo "

(" . htmlspecialchars(xl('Demographics not authorized'),ENT_NOQUOTES) . ")

\n"; echo "\n\n"; exit(); } @@ -235,25 +243,31 @@ function toggle( target, div ) { echo "" . - getPatientName($pid) . "  "; + htmlspecialchars(getPatientName($pid),ENT_NOQUOTES) . + "  "; echo "" . xl("Edit" ). ""; + echo " onclick='top.restoreSession()'>" . + htmlspecialchars(xl("Edit" ),ENT_NOQUOTES). ""; if (acl_check('admin', 'super')) { - echo "" . - "".xl('Delete').""; + echo "" . + "".htmlspecialchars(xl('Delete'),ENT_NOQUOTES). + ""; } if ($GLOBALS['oer_config']['ws_accounting']['enabled']) { // Show current balance and billing note, if any. echo "   " . - xl('Balance Due') . ": " . oeFormatMoney(get_patient_balance($pid)) . + htmlspecialchars(xl('Balance Due'),ENT_NOQUOTES) . + ": " . htmlspecialchars(oeFormatMoney(get_patient_balance($pid)),ENT_NOQUOTES) . "
"; if ($result['genericname2'] == 'Billing') { - xl('Billing Note') . ":"; + htmlspecialchars(xl('Billing Note'),ENT_NOQUOTES) . ":"; echo "" . - $result['genericval2'] . ""; + htmlspecialchars($result['genericval2'],ENT_NOQUOTES) . + ""; } echo ""; } @@ -265,11 +279,11 @@ function toggle( target, div ) { if ($GLOBALS['patient_id_category_name']) { $tmp = sqlQuery("SELECT d.id, d.date, d.url FROM " . "documents AS d, categories_to_documents AS cd, categories AS c " . - "WHERE d.foreign_id = $pid " . + "WHERE d.foreign_id = ? " . "AND cd.document_id = d.id " . "AND c.id = cd.category_id " . - "AND c.name LIKE '" . $GLOBALS['patient_id_category_name'] . "' " . - "ORDER BY d.date DESC LIMIT 1"); + "AND c.name LIKE ? " . + "ORDER BY d.date DESC LIMIT 1", array($pid, $GLOBALS['patient_id_category_name']) ); if ($tmp) $document_id = $tmp['id']; } ?> @@ -277,15 +291,20 @@ function toggle( target, div ) { - + + | - + + | - + + | - + + | - + + @@ -300,7 +319,8 @@ function toggle( target, div ) {
- () + + ()
@@ -324,9 +344,9 @@ function toggle( target, div ) { $enddate = 'Present'; $query = "SELECT * FROM insurance_data WHERE " . - "pid = '$pid' AND type = '$instype' " . + "pid = ? AND type = ? " . "ORDER BY date DESC"; - $res = sqlStatement($query); + $res = sqlStatement($query, array($pid, $instype) ); while( $row = sqlFetchArray($res) ) { if ($row['provider'] ) $insurance_count++; } @@ -336,7 +356,8 @@ function toggle( target, div ) { ?>
- () + + ()
@@ -351,9 +372,9 @@ function toggle( target, div ) { foreach (array('primary','secondary','tertiary') as $instype) { $query = "SELECT * FROM insurance_data WHERE " . - "pid = '$pid' AND type = '$instype' " . + "pid = ? AND type = ? " . "ORDER BY date DESC"; - $res = sqlStatement($query); + $res = sqlStatement($query, array($pid, $instype) ); $enddate = 'Present'; @@ -364,7 +385,8 @@ function toggle( target, div ) { $ins_description = xl($ins_description); $ins_description .= strcmp($enddate, 'Present') != 0 ? " (".xl('Old').")" : ""; ?> -
  • >
    • +
  • > +
    • @@ -399,12 +421,13 @@ function toggle( target, div ) { - - + + - + - : + : @@ -412,51 +435,56 @@ function toggle( target, div ) { '; + echo htmlspecialchars($insco_name,ENT_NOQUOTES) . '
    '; if (trim($adobj->get_line1())) { - echo $adobj->get_line1() . '
    '; - echo $adobj->get_city() . ', ' . $adobj->get_state() . ' ' . $adobj->get_zip(); + echo htmlspecialchars($adobj->get_line1(),ENT_NOQUOTES) . '
    '; + echo htmlspecialchars($adobj->get_city() . ', ' . $adobj->get_state() . ' ' . $adobj->get_zip(),ENT_NOQUOTES); } } else { - echo "".xl('Unassigned').""; + echo "".htmlspecialchars(xl('Unassigned'),ENT_NOQUOTES).""; } ?>
    - :
    - :
    - :     + : +
    + : +
    + : + - :
    - + :
    +
    - :
    - : -
    - : + : +
    + : +
    + : +     - :
    -
    - - - -     + :
    +
    + + + +     -
    :
    -
    -
    - - - - +
    :
    +
    +
    + + + +     @@ -465,13 +493,13 @@ function toggle( target, div ) { - : - + : +
    - : - - + : + + @@ -499,7 +527,7 @@ function toggle( target, div ) {
    - () + ()
    @@ -525,9 +553,9 @@ function toggle( target, div ) {
    - + - () + ()
    @@ -537,8 +565,8 @@ function toggle( target, div ) { $myrow2 = sqlQuery($query); if ($myrow2) { $parentId = $myrow2['id']; - $query = "SELECT id, name FROM categories WHERE parent='$parentId'"; - $resNew1 = sqlStatement($query); + $query = "SELECT id, name FROM categories WHERE parent=?"; + $resNew1 = sqlStatement($query, array($parentId) ); while ($myrows3 = sqlFetchArray($resNew1)) { $categoryId = $myrows3['id']; $nameDoc = $myrows3['name']; @@ -546,10 +574,10 @@ function toggle( target, div ) { "FROM documents " . "INNER JOIN categories_to_documents " . "ON categories_to_documents.document_id=documents.id " . - "WHERE categories_to_documents.category_id='$categoryId' " . - "AND documents.foreign_id='$pid' " . + "WHERE categories_to_documents.category_id=? " . + "AND documents.foreign_id=? " . "ORDER BY documents.date DESC"; - $resNew2 = sqlStatement($query); + $resNew2 = sqlStatement($query, array($categoryId, $pid) ); $limitCounter = 0; // limit to one entry per category while (($myrows4 = sqlFetchArray($resNew2)) && ($limitCounter == 0)) { $dateTimeDoc = $myrows4['date']; @@ -557,8 +585,11 @@ function toggle( target, div ) { $tempParse = explode(" ",$dateTimeDoc); $dateDoc = $tempParse[0]; $idDoc = $myrows4['id']; - echo "" . xl_document_category($nameDoc) . " " . $dateDoc; + echo "" . + htmlspecialchars(xl_document_category($nameDoc),ENT_NOQUOTES) . " " . + htmlspecialchars($dateDoc,ENT_NOQUOTES); echo "
    "; $limitCounter = $limitCounter + 1; $counterFlag = true; @@ -566,7 +597,7 @@ function toggle( target, div ) { } } if (!$counterFlag) { - echo xl('None', 'e'); + echo htmlspecialchars(xl('None'),ENT_NOQUOTES); } ?>
    @@ -610,12 +641,12 @@ function toggle( target, div ) { $form_issue_id = $_POST['form_issue_id']; if ($form_submit) { $returndate = $form_userdate1 ? "'$form_userdate1'" : "NULL"; - sqlStatement("UPDATE patient_data SET fitness = '$form_fitness', " . - "userdate1 = $returndate WHERE pid = '$pid'"); + sqlStatement("UPDATE patient_data SET fitness = ?, " . + "userdate1 = ? WHERE pid = ?", array($form_fitness, $returndate, $pid) ); // Update return date in the designated issue, if requested. if ($form_issue_id) { - sqlStatement("UPDATE lists SET returndate = $returndate WHERE " . - "id = '$form_issue_id'"); + sqlStatement("UPDATE lists SET returndate = ? WHERE " . + "id = ?", array($returndate, $form_issue_id) ); } } else { $form_fitness = $result['fitness']; @@ -630,20 +661,20 @@ function toggle( target, div ) { "list_id = 'fitness' ORDER BY seq"); while ($row = sqlFetchArray($res)) { $key = $row['option_id']; - echo " \n"; + echo ">" . htmlspecialchars($row['title'],ENT_NOQUOTES) . "\n"; } echo " \n"; echo "
    Return to Play:
    \n"; echo " \n" . " [?]\n"; - echo " \n"; + "title='" . htmlspecialchars(xl('Click here to choose a date'),ENT_QUOTES) . "'>\n"; + echo " \n"; echo " \n"; echo "

    \n"; echo " \n"; @@ -663,16 +694,16 @@ function toggle( target, div ) { "c.pc_catname " . "FROM openemr_postcalendar_events AS e, users AS u, " . "openemr_postcalendar_categories AS c WHERE " . - "e.pc_pid = '$pid' AND e.pc_eventDate >= CURRENT_DATE AND " . + "e.pc_pid = ? AND e.pc_eventDate >= CURRENT_DATE AND " . "u.id = e.pc_aid AND e.pc_catid = c.pc_catid " . "ORDER BY e.pc_eventDate, e.pc_startTime"; - $res = sqlStatement($query); + $res = sqlStatement($query, array($pid) ); if (isset($res) && $res != null) { ?>
    - + - () + ()
    @@ -691,15 +722,16 @@ function toggle( target, div ) { } $etitle = xl('(Click to edit)'); if ($row['pc_hometext'] != "") { - $etitle = xl('Comments').": ".addslashes($row['pc_hometext'])."\r\n".$etitle; + $etitle = xl('Comments').": ".($row['pc_hometext'])."\r\n".$etitle; } - echo ""; - echo "" . xl($dayname) . ", " . $row['pc_eventDate'] . "
    "; - echo "$disphour:$dispmin " . xl($dispampm) . " " . xl_appt_category($row['pc_catname']) . "
    \n"; - echo $row['fname'] . " " . $row['lname'] . "
    \n"; + echo ""; + echo "" . htmlspecialchars(xl($dayname) . ", " . $row['pc_eventDate'],ENT_NOQUOTES) . "
    "; + echo htmlspecialchars("$disphour:$dispmin " . xl($dispampm) . " " . xl_appt_category($row['pc_catname']),ENT_NOQUOTES) . "
    \n"; + echo htmlspecialchars($row['fname'] . " " . $row['lname'],ENT_NOQUOTES) . "
    \n"; } if (isset($res) && $res != null) { - if ( $count < 1 ) { echo xl('None', 'e'); } + if ( $count < 1 ) { echo htmlspecialchars(xl('None'),ENT_NOQUOTES); } echo "
    "; } } @@ -726,7 +758,9 @@ function toggle( target, div ) { diff --git a/interface/patient_file/summary/patient_picture.php b/interface/patient_file/summary/patient_picture.php index 5d9cd1ffa90..45e27defa79 100644 --- a/interface/patient_file/summary/patient_picture.php +++ b/interface/patient_file/summary/patient_picture.php @@ -1,15 +1,24 @@ Patient Photograph
    \n"); + array_push($pics,"
    Patient Photograph
    \n"); } } } diff --git a/interface/patient_file/summary/pnotes_fragment.php b/interface/patient_file/summary/pnotes_fragment.php index a737befcd41..08e4bdb51b6 100644 --- a/interface/patient_file/summary/pnotes_fragment.php +++ b/interface/patient_file/summary/pnotes_fragment.php @@ -4,6 +4,14 @@ // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// + require_once("../../globals.php"); require_once("$srcdir/pnotes.inc"); require_once("$srcdir/acl.inc"); @@ -35,26 +43,26 @@ $thisauth = 0; } if (!$thisauth) { - echo "

    (" . xl('Notes not authorized') . ")

    \n"; + echo "

    (" . htmlspecialchars(xl('Notes not authorized'),ENT_NOQUOTES) . ")

    \n"; } else { ?> Execute($sql); - if($resnote && !$resnote->EOF && $resnote->fields['genericname2'] == 'Billing') { - $billing_note = $resnote->fields['genericval2']; - $colorbeg = ""; - $colorend = ""; + "from patient_data where pid = ? limit 1"; + $resnote = sqlQuery($sql, array($pid) ); + if ($resnote) { + if ($resnote['genericname2'] == 'Billing') { + $billing_note = $resnote['genericval2']; + $colorbeg = ""; + $colorend = ""; + } } //Display what the patient owes @@ -63,14 +71,18 @@ $has_note = 1; $formatted = oeFormatMoney($balance); echo " \n"; - echo " \n"; + echo " \n"; echo " \n"; } if ($billing_note) { $has_note = 1; echo " \n"; - echo " \n"; + echo " \n"; echo " \n"; } @@ -87,11 +99,12 @@ if (preg_match('/^\d\d\d\d-\d\d-\d\d \d\d\:\d\d /', $body)) { $body = nl2br(oeFormatPatientNote($body)); } else { - $body = oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) . - ' (' . $iter['user'] . ') ' . nl2br(oeFormatPatientNote($body)); + $body = htmlspecialchars(oeFormatSDFT(strtotime($iter['date'])) . date(' H:i', strtotime($iter['date'])) . + ' (' . $iter['user'] . ') ',ENT_NOQUOTES) . + nl2br(htmlspecialchars(oeFormatPatientNote($body),ENT_NOQUOTES)); } - echo " \n"; + echo " \n"; // Modified 6/2009 by BM to incorporate the patient notes into the list_options listings echo " \n"; echo " \n"; + echo " \n"; echo " \n"; } @@ -91,13 +101,14 @@ function load_location( location ) { // $need_head = true; foreach (array('treatment_protocols','injury_log') as $formname) { - if (mysql_num_rows(sqlStatement("SHOW TABLES LIKE 'form_$formname'")) > 0) { + if (sqlNumRows(sqlStatement("SHOW TABLES LIKE ?", array("form_".$formname) )) > 0) { $dres = sqlStatement("SELECT tp.id, tp.value FROM forms, " . - "form_$formname AS tp WHERE forms.pid = $pid AND " . - "forms.formdir = '$formname' AND tp.id = forms.form_id AND " . + "form_" . add_escape_custom($formname) . + " AS tp WHERE forms.pid = ? AND " . + "forms.formdir = ? AND tp.id = forms.form_id AND " . "tp.rownbr = -1 AND tp.colnbr = -1 AND tp.value LIKE '0%' " . - "ORDER BY tp.value DESC"); - if (mysql_num_rows($dres) > 0 && $need_head) { + "ORDER BY tp.value DESC", array($pid, $formname) ); + if (sqlNumRows($dres) > 0 && $need_head) { $need_head = false; echo " \n"; echo " \n"; + echo htmlspecialchars($row['id'],ENT_QUOTES) . "\")'>" . + htmlspecialchars($start_date,ENT_NOQUOTES) . " " . + htmlspecialchars($template_name,ENT_NOQUOTES) . "\n"; echo " \n"; } } @@ -124,9 +137,9 @@ function load_location( location ) {
    ".$colorbeg.xl('Balance Due').$colorend."".$colorbeg.$formatted.$colorend."".$colorbeg. + htmlspecialchars(xl('Balance Due'),ENT_NOQUOTES).$colorend."".$colorbeg. + htmlspecialchars($formatted,ENT_NOQUOTES).$colorend."
    ".$colorbeg.xl('Billing Note').$colorend."".$colorbeg.$billing_note.$colorend."".$colorbeg. + htmlspecialchars(xl('Billing Note'),ENT_NOQUOTES).$colorend."".$colorbeg. + htmlspecialchars($billing_note,ENT_NOQUOTES).$colorend."
    "; @@ -110,15 +123,20 @@ - "; echo xl("here", "e"); echo "."; ?> + "; + echo htmlspecialchars(xl("here"),ENT_NOQUOTES); + echo "."; ?>
    - - Displaying the most recent notes. Click here to view them all. + +
    +     diff --git a/interface/patient_file/summary/stats.php b/interface/patient_file/summary/stats.php index e362948407c..9db7c99a651 100644 --- a/interface/patient_file/summary/stats.php +++ b/interface/patient_file/summary/stats.php @@ -1,8 +1,18 @@ @@ -16,7 +26,7 @@ $thisauth = 0; } if (!$thisauth) { - echo "

    (".xl('Issues not authorized').")

    \n"; + echo "

    (".htmlspecialchars(xl('Issues not authorized'),ENT_NOQUOTES).")

    \n"; echo "\n\n"; exit(); } @@ -41,21 +51,21 @@ function load_location( location ) { foreach ($ISSUE_TYPES as $key => $arr) { // $result = getListByType($pid, $key, "id,title,begdate,enddate,returndate,extrainfo", "all", "all", 0); - $query = "SELECT * FROM lists WHERE pid = $pid AND type = '$key' AND "; + $query = "SELECT * FROM lists WHERE pid = ? AND type = ? AND "; $query .= "enddate IS NULL "; $query .= "ORDER BY begdate"; - $pres = sqlStatement($query); + $pres = sqlStatement($query, array($pid, $key) ); - if (mysql_num_rows($pres) > 0 || $ix == 0) { + if (sqlNumRows($pres) > 0 || $ix == 0) { // output a header for the $ISSUE_TYPE echo "
    \n"; ?> - + - () + () \n"; - echo "   " . $row['title'] . "  " . htmlspecialchars($row['title'],ENT_NOQUOTES) . "
    \n"; @@ -111,7 +122,9 @@ function load_location( location ) { echo "   "; echo "$start_date $template_name
    - + - () + ()
    @@ -135,16 +148,16 @@ function load_location( location ) { $sql = "select i1.id as id, i1.immunization_id as immunization_id,". " if (i1.administered_date, concat(i1.administered_date,' - '), substring(i1.note,1,20)) as immunization_data ". " from immunizations i1 ". - " where i1.patient_id = $pid ". + " where i1.patient_id = ? ". " order by i1.immunization_id, i1.administered_date desc"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); while ($row=sqlFetchArray($result)){ echo "  "; echo "" . - $row{'immunization_data'} . + echo "' href='javascript:;' onclick='javascript:load_location(\"immunizations.php?mode=edit&id=".htmlspecialchars($row['id'],ENT_QUOTES) . "\")'>" . + htmlspecialchars($row{'immunization_data'},ENT_NOQUOTES) . generate_display_field(array('data_type'=>'1','list_id'=>'immunizations'), $row['immunization_id']) . "
    \n"; } @@ -159,7 +172,7 @@ function load_location( location ) {
    "; // $s .= ""; - if (!empty($resnote)) $s .= ""; - if (!empty($res)) $s .= ""; - if ($restype == "quit".$field_id) $s .= ""; + if (!empty($resnote)) $s .= ""; + if (!empty($res)) $s .= ""; + if ($restype == "quit".$field_id) $s .= ""; $s .= ""; $s .= "
    - +
    $value) { if ($currvalue == $key) { - $s .= $value[3]; + $s .= htmlspecialchars($value[3],ENT_NOQUOTES); } } } @@ -1062,22 +1062,22 @@ function generate_display_field($frow, $currvalue) { // address book else if ($data_type == 14) { $urow = sqlQuery("SELECT fname, lname, specialty FROM users " . - "WHERE id = '$currvalue'"); + "WHERE id = ?", array($currvalue)); $uname = $urow['lname']; if ($urow['fname']) $uname .= ", " . $urow['fname']; - $s = $uname; + $s = htmlspecialchars($uname,ENT_NOQUOTES); } // billing code else if ($data_type == 15) { - $s = $currvalue; + $s = htmlspecialchars($currvalue,ENT_NOQUOTES); } // a set of labeled checkboxes else if ($data_type == 21) { $avalue = explode('|', $currvalue); $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); $count = 0; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; @@ -1085,7 +1085,7 @@ function generate_display_field($frow, $currvalue) { if ($count++) $s .= "
    "; // Added 5-09 by BM - Translate label if applicable - $s .= xl_list_label($lrow['title']); + $s .= htmlspecialchars(xl_list_label($lrow['title']),ENT_NOQUOTES); } } @@ -1101,16 +1101,16 @@ function generate_display_field($frow, $currvalue) { } } $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); $s .= ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; if (empty($avalue[$option_id])) continue; // Added 5-09 by BM - Translate label if applicable - $s .= ""; + $s .= ""; - $s .= ""; + $s .= ""; } $s .= "
    " . xl_list_label($lrow['title']) . ": 
    " . htmlspecialchars(xl_list_label($lrow['title']),ENT_NOQUOTES) . ": " . $avalue[$option_id] . "
    " . htmlspecialchars($avalue[$option_id],ENT_NOQUOTES) . "
    "; } @@ -1125,7 +1125,7 @@ function generate_display_field($frow, $currvalue) { } } $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); $s .= ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; @@ -1134,13 +1134,13 @@ function generate_display_field($frow, $currvalue) { if (empty($restype) && empty($resnote)) continue; // Added 5-09 by BM - Translate label if applicable - $s .= ""; + $s .= ""; $restype = ($restype == '1') ? xl('Normal') : (($restype == '2') ? xl('Abnormal') : xl('N/A')); // $s .= ""; // $s .= ""; - $s .= ""; - $s .= ""; + $s .= ""; + $s .= ""; $s .= ""; } $s .= "
    " . xl_list_label($lrow['title']) . " 
    " . htmlspecialchars(xl_list_label($lrow['title']),ENT_NOQUOTES) . " $restype
    $resnote
    $restype $resnote" . htmlspecialchars($restype,ENT_NOQUOTES) . " " . htmlspecialchars($resnote,ENT_NOQUOTES) . "
    "; @@ -1149,15 +1149,15 @@ function generate_display_field($frow, $currvalue) { // the list of active allergies for the current patient else if ($data_type == 24) { $query = "SELECT title, comments FROM lists WHERE " . - "pid = '" . $GLOBALS['pid'] . "' AND type = 'allergy' AND enddate IS NULL " . + "pid = ? AND type = 'allergy' AND enddate IS NULL " . "ORDER BY begdate"; // echo "\n"; // debugging - $lres = sqlStatement($query); + $lres = sqlStatement($query, array($GLOBALS['pid']) ); $count = 0; while ($lrow = sqlFetchArray($lres)) { if ($count++) $s .= "
    "; - $s .= $lrow['title']; - if ($lrow['comments']) $s .= ' (' . $lrow['comments'] . ')'; + $s .= htmlspecialchars($lrow['title'],ENT_NOQUOTES); + if ($lrow['comments']) $s .= ' (' . htmlspecialchars($lrow['comments'],ENT_NOQUOTES) . ')'; } } @@ -1171,7 +1171,7 @@ function generate_display_field($frow, $currvalue) { } } $lres = sqlStatement("SELECT * FROM list_options " . - "WHERE list_id = '$list_id' ORDER BY seq, title"); + "WHERE list_id = ? ORDER BY seq, title", array($list_id) ); $s .= ""; while ($lrow = sqlFetchArray($lres)) { $option_id = $lrow['option_id']; @@ -1180,11 +1180,11 @@ function generate_display_field($frow, $currvalue) { if (empty($restype) && empty($resnote)) continue; // Added 5-09 by BM - Translate label if applicable - $s .= ""; + $s .= ""; $restype = $restype ? xl('Yes') : xl('No'); - $s .= ""; - $s .= ""; + $s .= ""; + $s .= ""; $s .= ""; } $s .= "
    " . xl_list_label($lrow['title']) . " 
    " . htmlspecialchars(xl_list_label($lrow['title']),ENT_NOQUOTES) . " $restype
    $resnote
    " . htmlspecialchars($restype,ENT_NOQUOTES) . "
    " . htmlspecialchars($resnote,ENT_NOQUOTES) . "
    "; @@ -1222,9 +1222,9 @@ function generate_display_field($frow, $currvalue) { if ($restype == "not_applicable".$field_id) $res = xl('N/A'); // $s .= "    		$restype
    $resnote
    $resnote     ".xl('Status').": ".$res." $resdate " . htmlspecialchars($resnote,ENT_NOQUOTES) . "     " . htmlspecialchars(xl('Status'),ENT_NOQUOTES) . ": " . htmlspecialchars($res,ENT_NOQUOTES) . " " . htmlspecialchars($resdate,ENT_NOQUOTES) . " 
    "; } @@ -1266,8 +1266,8 @@ function display_layout_rows($formtype, $result1, $result2='') { global $item_count, $cell_count, $last_group, $CPR; $fres = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formtype' AND uor > 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formtype) ); while ($frow = sqlFetchArray($fres)) { $this_group = $frow['group_name']; @@ -1317,7 +1317,7 @@ function display_layout_rows($formtype, $result1, $result2='') { //echo "$group_name"; // Added 5-09 by BM - Translate label if applicable - echo (xl_layout_label($group_name)); + echo htmlspecialchars(xl_layout_label($group_name),ENT_NOQUOTES); $group_name = ''; } else { @@ -1341,7 +1341,7 @@ function display_layout_rows($formtype, $result1, $result2='') { ++$item_count; // Added 5-09 by BM - Translate label if applicable - if ($frow['title']) echo (xl_layout_label($frow['title']).":"); else echo " "; + if ($frow['title']) echo htmlspecialchars(xl_layout_label($frow['title']).":",ENT_NOQUOTES); else echo " "; // Handle starting of a new data cell. if ($datacols > 0) { @@ -1364,8 +1364,8 @@ function display_layout_tabs($formtype, $result1, $result2='') { global $item_count, $cell_count, $last_group, $CPR; $fres = sqlStatement("SELECT distinct group_name FROM layout_options " . - "WHERE form_id = '$formtype' AND uor > 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formtype) ); $first = true; while ($frow = sqlFetchArray($fres)) { @@ -1373,7 +1373,7 @@ function display_layout_tabs($formtype, $result1, $result2='') { $group_name = substr($this_group, 1); ?>
  • > - +
    • 0 " . - "ORDER BY group_name, seq"); + "WHERE form_id = ? AND uor > 0 " . + "ORDER BY group_name, seq", array($formtype)); $first = true; while ($frow = sqlFetchArray($fres)) { @@ -1398,8 +1398,8 @@ function display_layout_tabs_data($formtype, $result1, $result2='') { $currvalue = ''; $group_fields_query = sqlStatement("SELECT * FROM layout_options " . - "WHERE form_id = '$formtype' AND uor > 0 AND group_name = '$this_group' " . - "ORDER BY seq"); + "WHERE form_id = ? AND uor > 0 AND group_name = ? " . + "ORDER BY seq", array($formtype, $this_group) ); ?>
    @@ -1463,7 +1463,7 @@ function display_layout_tabs_data($formtype, $result1, $result2='') { ++$item_count; // Added 5-09 by BM - Translate label if applicable - if ($group_fields['title']) echo (xl_layout_label($group_fields['title']).":"); else echo " "; + if ($group_fields['title']) echo htmlspecialchars(xl_layout_label($group_fields['title']).":",ENT_NOQUOTES); else echo " "; // Handle starting of a new data cell. if ($datacols > 0) { diff --git a/library/patient.inc b/library/patient.inc index 00f4e208ec1..c5d75a960fb 100644 --- a/library/patient.inc +++ b/library/patient.inc @@ -20,8 +20,8 @@ $PLAYER_FITNESSES = array( $PLAYER_FITCOLORS = array('#6677ff', '#00cc00', '#ffff00', '#ff3333', '#ff8800', '#ffeecc', '#ffccaa'); function getPatientData($pid, $given = "*, DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS") { - $sql = "select $given from patient_data where pid='$pid' order by date DESC limit 0,1"; - return sqlQuery($sql); + $sql = "select $given from patient_data where pid=? order by date DESC limit 0,1"; + return sqlQuery($sql, array($pid) ); } function getLanguages() { @@ -315,8 +315,8 @@ function getInsuranceDataByDate($pid, $date, $type, function getEmployerData($pid, $given = "*") { - $sql = "select $given from employer_data where pid='$pid' order by date DESC limit 0,1"; - return sqlQuery($sql); + $sql = "select $given from employer_data where pid=? order by date DESC limit 0,1"; + return sqlQuery($sql, array($pid) ); } function _set_patient_inc_count($limit, $count, $where) { @@ -1346,12 +1346,12 @@ function DBToDate ($date) function get_patient_balance($pid) { if ($GLOBALS['oer_config']['ws_accounting']['enabled'] === 2) { $brow = sqlQuery("SELECT SUM(fee) AS amount FROM billing WHERE " . - "pid = '$pid' AND activity = 1"); + "pid = ? AND activity = 1", array($pid) ); $srow = sqlQuery("SELECT SUM(fee) AS amount FROM drug_sales WHERE " . - "pid = '$pid'"); + "pid = ?", array($pid) ); $drow = sqlQuery("SELECT SUM(pay_amount) AS payments, " . "SUM(adj_amount) AS adjustments FROM ar_activity WHERE " . - "pid = '$pid'"); + "pid = ?", array($pid) ); return sprintf('%01.2f', $brow['amount'] + $srow['amount'] - $drow['payments'] - $drow['adjustments']); } diff --git a/library/pnotes.inc b/library/pnotes.inc index 2c3dcad013a..3a302b37dd0 100644 --- a/library/pnotes.inc +++ b/library/pnotes.inc @@ -18,27 +18,32 @@ function getPnoteById($id, $cols = "*") function getPnotesByDate($date, $activity = "1", $cols = "*", $pid = "%", $limit = "all", $start = 0, $username = '', $docid = 0, $status = "") { +$sqlParameterArray = array(); if ($docid) { $sql = "SELECT $cols FROM pnotes AS p, gprelations AS r " . - "WHERE p.date LIKE '%$date%' AND r.type1 = 1 AND " . - "r.id1 = '$docid' AND r.type2 = 6 AND p.id = r.id2"; + "WHERE p.date LIKE ? AND r.type1 = 1 AND " . + "r.id1 = ? AND r.type2 = 6 AND p.id = r.id2"; + array_push($sqlParameterArray, '%'.$date.'%', $docid); } else { $sql = "SELECT $cols FROM pnotes AS p " . - "WHERE date LIKE '%$date%' AND pid LIKE '$pid'"; + "WHERE date LIKE ? AND pid LIKE ?"; + array_push($sqlParameterArray, '%'.$date.'%', $pid); } $sql .= " AND deleted != 1"; // exclude ALL deleted notes if ($activity != "all") $sql .= " AND activity = '$activity'"; - if ($username) - $sql .= " AND assigned_to LIKE '$username'"; + if ($username) { + $sql .= " AND assigned_to LIKE ?"; + array_push($sqlParameterArray, $username); + } if ($status) $sql .= " AND message_status IN ('".str_replace(",", "','", $status)."')"; $sql .= " ORDER BY date DESC"; if($limit != "all") $sql .= " LIMIT $start, $limit"; - $res = sqlStatement($sql); + $res = sqlStatement($sql, $sqlParameterArray); for ($iter = 0;$row = sqlFetchArray($res);$iter++) $all[$iter] = $row;