diff --git a/interface/main/authorizations/authorizations.php b/interface/main/authorizations/authorizations.php
index 9e1172ccc32..7d8235e4880 100644
--- a/interface/main/authorizations/authorizations.php
+++ b/interface/main/authorizations/authorizations.php
@@ -1,4 +1,13 @@
2;
@@ -24,13 +32,10 @@
if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) {
$retVal = getProviderId($_SESSION['authUser']);
newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, $_GET["pid"]);
- // sqlStatement("update billing set authorized=1, provider_id = '" .
- // mysql_real_escape_string($retVal[0]['id']) .
- // "' where pid='" . $_GET["pid"] . "'");
- sqlStatement("update billing set authorized=1 where pid='" . $_GET["pid"] . "'");
- sqlStatement("update forms set authorized=1 where pid='" . $_GET["pid"] . "'");
- sqlStatement("update pnotes set authorized=1 where pid='" . $_GET["pid"] . "'");
- sqlStatement("update transactions set authorized=1 where pid='" . $_GET["pid"] . "'");
+ sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"]) );
+ sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"]) );
+ sqlStatement("update pnotes set authorized=1 where pid=?", array($_GET["pid"]) );
+ sqlStatement("update transactions set authorized=1 where pid=?", array($_GET["pid"]) );
}
?>
@@ -73,7 +78,7 @@
-
+
@@ -81,7 +86,7 @@
-()
+()
@@ -98,70 +103,65 @@
if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user " .
"from billing LEFT JOIN users as u on billing.user = u.id where " .
"billing.authorized = 0 and billing.activity = 1 and " .
- "groupname = '$groupname'"))
+ "groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result1[$iter] = $row;
if ($result1) {
foreach ($result1 as $iter) {
$authorize{$iter{"pid"}}{"billing"} .= "" .
- $iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
+ htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"
\n";
}
- //$authorize[$iter{"pid"}]{"billing"} = substr($authorize[$iter{"pid"}]{"billing"},0,strlen($authorize[$iter{"pid"}]{"billing"}));
}
}
//fetch transaction information:
if ($res = sqlStatement("select * from transactions where " .
- "authorized = 0 and groupname = '$groupname'"))
+ "authorized = 0 and groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result2[$iter] = $row;
if ($result2) {
foreach ($result2 as $iter) {
$authorize{$iter{"pid"}}{"transaction"} .= "" .
- $iter{"title"} . ": " . stripslashes(strterm($iter{"body"},25)) .
- " " . date("n/j/Y",strtotime($iter{"date"})) . "
\n";
+ htmlspecialchars($iter{"title"} . ": " . (strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+ "
\n";
}
- //$authorize[$iter{"pid"}]{"transaction"} = substr($authorize[$iter{"pid"}]{"transaction"},0,strlen($authorize[$iter{"pid"}]{"transaction"}));
}
}
if (empty($GLOBALS['ignore_pnotes_authorization'])) {
//fetch pnotes information:
if ($res = sqlStatement("select * from pnotes where authorized = 0 and " .
- "groupname = '$groupname'"))
+ "groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result3[$iter] = $row;
if ($result3) {
foreach ($result3 as $iter) {
$authorize{$iter{"pid"}}{"pnotes"} .= "" .
- stripslashes(strterm($iter{"body"},25)) . " " .
- date("n/j/Y",strtotime($iter{"date"})) . "
\n";
+ htmlspecialchars((strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+ "
\n";
}
- // $authorize[$iter{"pid"}]{"pnotes"} = substr($authorize[$iter{"pid"}]{"pnotes"},0,strlen($authorize[$iter{"pid"}]{"pnotes"}));
}
}
}
//fetch forms information:
if ($res = sqlStatement("select * from forms where authorized = 0 and " .
- "groupname = '$groupname'"))
+ "groupname = ?", array($groupname) ))
{
for ($iter = 0;$row = sqlFetchArray($res);$iter++)
$result4[$iter] = $row;
if ($result4) {
foreach ($result4 as $iter) {
$authorize{$iter{"pid"}}{"forms"} .= "" .
- $iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
+ htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
"
\n";
}
- // $authorize[$iter{"pid"}]{"forms"} = substr($authorize[$iter{"pid"}]{"forms"},0,strlen($authorize[$iter{"pid"}]{"forms"}));
}
}
-// echo "HERE"; // what the heck was this for?
?>
" . - xl('Some authorizations were not displayed. Click here to view all') . + htmlspecialchars(xl('Some authorizations were not displayed. Click here to view all'),ENT_NOQUOTES) . " | ".xl('Provider').": " . - $providerName{"lname"} . " | \n";
- // ha ha, see if that works....mar.
- echo "".xl('Billing').": " . + "select lname from users where id = ?", array($name['providerID']) )); + + echo " | ".htmlspecialchars(xl('Provider'),ENT_NOQUOTES).": " . + htmlspecialchars($providerName{"lname"},ENT_NOQUOTES) . " | \n";
+ echo "".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).": " . $patient{"billing"} . " | \n";
- echo "".xl('Transactions').": " . + echo " | ".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).": " . $patient{"transaction"} . " | \n";
- echo "".xl('Patient Notes').": " . + echo " | ".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).": " . $patient{"pnotes"} . " | \n";
- echo "".xl('Encounter Forms').": " . + echo " | ".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).": " . $patient{"forms"} . " | \n";
echo "\n";
@@ -288,7 +287,7 @@
// no-op
- alert("");
+ alert("");
}
diff --git a/interface/main/authorizations/authorizations_full.php b/interface/main/authorizations/authorizations_full.php
index 551f689daec..b61c5c09778 100644
--- a/interface/main/authorizations/authorizations_full.php
+++ b/interface/main/authorizations/authorizations_full.php
@@ -1,13 +1,22 @@
@@ -23,8 +32,8 @@
-
-
+
+
" . $iter{"user"} . ": " . $iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) . "
". $name{"fname"} . " " . $name{"lname"} ." ".xl('Authorize')." | \n";
- echo "".xl('Billing').": " . $patient{"billing"} . " | \n";
-
- echo "".xl('Transactions').": " . $patient{"transaction"} . " | \n";
-
- echo "".xl('Patient Notes').": " . $patient{"pnotes"} . " | \n";
-
- echo "".xl('Encounter Forms').": " . $patient{"forms"} . " | \n";
+ echo "
". htmlspecialchars($name{"fname"} . " " . $name{"lname"},ENT_NOQUOTES) .
+ " " . htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . " | \n";
+ echo "".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).
+ ": " . $patient{"billing"} . " | \n";
+ echo "".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).
+ ": " . $patient{"transaction"} . " | \n";
+ echo "".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).
+ ": " . $patient{"pnotes"} . " | \n";
+ echo "".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).
+ ": " . $patient{"forms"} . " | \n";
echo "