diff --git a/interface/main/authorizations/authorizations.php b/interface/main/authorizations/authorizations.php
index 9e1172ccc32..7d8235e4880 100644
--- a/interface/main/authorizations/authorizations.php
+++ b/interface/main/authorizations/authorizations.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/log.inc");
 include_once("$srcdir/billing.inc");
@@ -14,8 +23,7 @@
 // increase to a high number to make the mini frame more useful.
 $N = 50;
 
-$atemp = sqlQuery("SELECT see_auth FROM users WHERE username = '" .
-  $_SESSION['authUser'] . "'");
+$atemp = sqlQuery("SELECT see_auth FROM users WHERE username = ?", array($_SESSION['authUser']) );
 $see_auth = $atemp['see_auth'];
 
 $imauthorized = $_SESSION['userauthorized'] || $see_auth > 2;
@@ -24,13 +32,10 @@
 if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) {
   $retVal = getProviderId($_SESSION['authUser']);	
   newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, $_GET["pid"]);
-  // sqlStatement("update billing set authorized=1, provider_id = '" .
-  //   mysql_real_escape_string($retVal[0]['id']) .
-  //   "' where pid='" . $_GET["pid"] . "'");
-  sqlStatement("update billing set authorized=1 where pid='" . $_GET["pid"] . "'");
-  sqlStatement("update forms set authorized=1 where pid='" . $_GET["pid"] . "'");
-  sqlStatement("update pnotes set authorized=1 where pid='" . $_GET["pid"] . "'");
-  sqlStatement("update transactions set authorized=1 where pid='" . $_GET["pid"] . "'");
+  sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"]) );
+  sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"]) );
+  sqlStatement("update pnotes set authorized=1 where pid=?", array($_GET["pid"]) );
+  sqlStatement("update transactions set authorized=1 where pid=?", array($_GET["pid"]) );
 }
 ?>
 <html>
@@ -73,7 +78,7 @@
 <?php } else { ?>
 <a href='authorizations_full.php' target='Main'>
 <?php } ?>
-<?php xl('Authorizations','e')?> <span class='more'><?php echo $tmore;?></span></a>
+<?php echo htmlspecialchars(xl('Authorizations'),ENT_NOQUOTES); ?> <span class='more'><?php echo htmlspecialchars($tmore,ENT_NOQUOTES); ?></span></a>
 <?php 
 	}
 ?>
@@ -81,7 +86,7 @@
 
 <?php if (!$GLOBALS['concurrent_layout']) { ?>
 <span class='more'> &nbsp;
-<a href="#" id="findpatients" name='Find Patients'>(<?php xl('Find Patient','e')?>)</a>
+<a href="#" id="findpatients" name='Find Patients'>(<?php echo htmlspecialchars(xl('Find Patient'),ENT_NOQUOTES); ?>)</a>
 </span>
 <?php } ?>
 
@@ -98,70 +103,65 @@
 if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user " .
   "from billing LEFT JOIN users as u on billing.user = u.id where " .
   "billing.authorized = 0 and billing.activity = 1 and " .
-  "groupname = '$groupname'"))
+  "groupname = ?", array($groupname) ))
 {
   for ($iter = 0;$row = sqlFetchArray($res);$iter++)
     $result1[$iter] = $row;
   if ($result1) {
     foreach ($result1 as $iter) {
       $authorize{$iter{"pid"}}{"billing"} .= "<span class=text>" .
-        $iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
+        htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
         "</span><br>\n";
     }
-    //$authorize[$iter{"pid"}]{"billing"} = substr($authorize[$iter{"pid"}]{"billing"},0,strlen($authorize[$iter{"pid"}]{"billing"}));
   }
 }
 
 //fetch transaction information:
 if ($res = sqlStatement("select * from transactions where " .
-  "authorized = 0 and groupname = '$groupname'"))
+  "authorized = 0 and groupname = ?", array($groupname) ))
 {
   for ($iter = 0;$row = sqlFetchArray($res);$iter++)
     $result2[$iter] = $row;
   if ($result2) {
     foreach ($result2 as $iter) {
       $authorize{$iter{"pid"}}{"transaction"} .= "<span class=text>" .
-        $iter{"title"} . ": " . stripslashes(strterm($iter{"body"},25)) .
-        " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+        htmlspecialchars($iter{"title"} . ": " . (strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+	"</span><br>\n";
     }
-    //$authorize[$iter{"pid"}]{"transaction"} = substr($authorize[$iter{"pid"}]{"transaction"},0,strlen($authorize[$iter{"pid"}]{"transaction"}));
   }
 }
 
 if (empty($GLOBALS['ignore_pnotes_authorization'])) {
   //fetch pnotes information:
   if ($res = sqlStatement("select * from pnotes where authorized = 0 and " .
-    "groupname = '$groupname'"))
+    "groupname = ?", array($groupname) ))
   {
     for ($iter = 0;$row = sqlFetchArray($res);$iter++)
       $result3[$iter] = $row;
     if ($result3) {
       foreach ($result3 as $iter) {
         $authorize{$iter{"pid"}}{"pnotes"} .= "<span class=text>" .
-          stripslashes(strterm($iter{"body"},25)) . " " .
-          date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+          htmlspecialchars((strterm($iter{"body"},25)) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+	  "</span><br>\n";
       }
-      // $authorize[$iter{"pid"}]{"pnotes"} = substr($authorize[$iter{"pid"}]{"pnotes"},0,strlen($authorize[$iter{"pid"}]{"pnotes"}));
     }
   }
 }
 
 //fetch forms information:
 if ($res = sqlStatement("select * from forms where authorized = 0 and " .
-  "groupname = '$groupname'"))
+  "groupname = ?", array($groupname) ))
 {
   for ($iter = 0;$row = sqlFetchArray($res);$iter++)
     $result4[$iter] = $row;
   if ($result4) {
     foreach ($result4 as $iter) {
       $authorize{$iter{"pid"}}{"forms"} .= "<span class=text>" .
-        $iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})) .
+        htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
         "</span><br>\n";
     }
-    // $authorize[$iter{"pid"}]{"forms"} = substr($authorize[$iter{"pid"}]{"forms"},0,strlen($authorize[$iter{"pid"}]{"forms"}));
   }
 }
-// echo "HERE"; // what the heck was this for?
 ?>
 
 <table border='0' cellpadding='0' cellspacing='2' width='100%'>
@@ -183,7 +183,7 @@
       print "<tr><td colspan='5' align='center'><a" .
         ($GLOBALS['concurrent_layout'] ? "" : " target='Main'") .
         " href='authorizations_full.php?active=1' class='alert'>" .
-        xl('Some authorizations were not displayed. Click here to view all') .
+        htmlspecialchars(xl('Some authorizations were not displayed. Click here to view all'),ENT_NOQUOTES) .
         "</a></td></tr>\n";
       break;
     }
@@ -193,42 +193,41 @@
       // Clicking the patient name will load both frames for that patient,
       // as demographics.php takes care of loading the bottom frame.
 
-        echo "<a href='$rootdir/patient_file/summary/demographics.php?set_pid=$ppid' " .
-          "target='RTop'>";
+        echo "<a href='$rootdir/patient_file/summary/demographics.php?set_pid=" .
+	  htmlspecialchars($ppid,ENT_QUOTES) . "' target='RTop'>";
 
     } else {
-      echo "<a href='$rootdir/patient_file/patient_file.php?set_pid=$ppid' " .
-        "target='_top'>";
+      echo "<a href='$rootdir/patient_file/patient_file.php?set_pid=" .
+	htmlspecialchars($ppid,ENT_QUOTES) . "' target='_top'>";
     }
-    echo "<span class='bold'>" . $name{"fname"} . " " .
-      $name{"lname"} . "</span></a><br>" .
+    echo "<span class='bold'>" . htmlspecialchars($name{"fname"},ENT_NOQUOTES) . " " .
+      htmlspecialchars($name{"lname"},ENT_NOQUOTES) . "</span></a><br>" .
       "<a class=link_submit href='authorizations.php?mode=authorize" .
-      "&pid=$ppid'>" . xl('Authorize') . "</a></td>\n";
+      "&pid=" . htmlspecialchars($ppid,ENT_QUOTES) . "'>" .
+      htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . "</a></td>\n";
 
     /****
     //Michael A Rowley MD 20041012.
     // added below 4 lines to add provider to authorizations for ez reference.
     $providerID = sqlFetchArray(sqlStatement(
-      "select providerID from patient_data where pid=$ppid"));
+      "select providerID from patient_data where pid=?", array($ppid) ));
     $userID=$providerID{"providerID"};
     $providerName = sqlFetchArray(sqlStatement(
-      "select lname from users where id=$userID"));
+      "select lname from users where id=?", array($userID) ));
     ****/
     // Don't use sqlQuery because there might be no match.
     $providerName = sqlFetchArray(sqlStatement(
-      "select lname from users where id = '" . $name['providerID'] . "'"));
-    /****/
-
-    echo "<td valign=top><span class=bold>".xl('Provider').":</span><span class=text><br>" .
-      $providerName{"lname"} . "</td>\n";
-    //  ha ha, see if that works....mar.
-    echo "<td valign=top><span class=bold>".xl('Billing').":</span><span class=text><br>" .
+      "select lname from users where id = ?", array($name['providerID']) ));
+      
+    echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Provider'),ENT_NOQUOTES).":</span><span class=text><br>" .
+      htmlspecialchars($providerName{"lname"},ENT_NOQUOTES) . "</td>\n";
+    echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).":</span><span class=text><br>" .
       $patient{"billing"} . "</td>\n";
-    echo "<td valign=top><span class=bold>".xl('Transactions').":</span><span class=text><br>" .
+    echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).":</span><span class=text><br>" .
       $patient{"transaction"} . "</td>\n";
-    echo "<td valign=top><span class=bold>".xl('Patient Notes').":</span><span class=text><br>" .
+    echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).":</span><span class=text><br>" .
       $patient{"pnotes"} . "</td>\n";
-    echo "<td valign=top><span class=bold>".xl('Encounter Forms').":</span><span class=text><br>" .
+    echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).":</span><span class=text><br>" .
       $patient{"forms"} . "</td>\n";
     echo "</tr>\n";
 
@@ -288,7 +287,7 @@
     <?php endif; ?>
 <?php else: ?>
     // no-op
-    alert("<?php xl('You do not have access to view/edit this note','e'); ?>");
+    alert("<?php echo htmlspecialchars(xl('You do not have access to view/edit this note'),ENT_QUOTES); ?>");
 <?php endif; ?>
 }
 
diff --git a/interface/main/authorizations/authorizations_full.php b/interface/main/authorizations/authorizations_full.php
index 551f689daec..b61c5c09778 100644
--- a/interface/main/authorizations/authorizations_full.php
+++ b/interface/main/authorizations/authorizations_full.php
@@ -1,13 +1,22 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/patient.inc");
 
 if (isset($_GET["mode"]) && $_GET["mode"] == "authorize") {
 newEvent("authorize",$_SESSION["authUser"],$_SESSION["authProvider"],1,$_GET["pid"]);
-sqlStatement("update billing set authorized=1 where pid='".$_GET["pid"]."'");
-sqlStatement("update forms set authorized=1 where pid='".$_GET["pid"]."'");
-sqlStatement("update pnotes set authorized=1 where pid='".$_GET["pid"]."'");
-sqlStatement("update transactions set authorized=1 where pid='".$_GET["pid"]."'");
+sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"]) );
+sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"]) );
+sqlStatement("update pnotes set authorized=1 where pid=?", array($_GET["pid"]) );
+sqlStatement("update transactions set authorized=1 where pid=?", array($_GET["pid"]) );
 
 }
 ?>
@@ -23,8 +32,8 @@
 <?php } else { ?>
 <a href="../main.php" target=Main>
 <?php } ?>
-<font class=title><?php xl('Authorizations','e'); ?></font>
-<font class=more><?php echo $tback;?></font></a>
+<font class=title><?php echo htmlspecialchars(xl('Authorizations'),ENT_NOQUOTES); ?></font>
+<font class=more><?php echo htmlspecialchars($tback,ENT_NOQUOTES); ?></font></a>
 
 <?php
 //	billing
@@ -33,68 +42,71 @@
 //	transactions
 
 //fetch billing information:
-if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user from billing LEFT JOIN users as u on billing.user = u.id where billing.authorized=0 and groupname='$groupname'")) {
+if ($res = sqlStatement("select *, concat(u.fname,' ', u.lname) as user from billing LEFT JOIN users as u on billing.user = u.id where billing.authorized=0 and groupname=?", array ($groupname) )) {
 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
 		$result[$iter] = $row;
 
 if ($result) {
 foreach ($result as $iter) {
 
-$authorize{$iter{"pid"}}{"billing"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+$authorize{$iter{"pid"}}{"billing"} .= "<span class=small>" .
+      htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
+      htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+      "</span><br>\n";
 
 }
 
-//$authorize[$iter{"pid"}]{"billing"} = substr($authorize[$iter{"pid"}]{"billing"},0,strlen($authorize[$iter{"pid"}]{"billing"}));
-
 }
 }
 
 //fetch transaction information:
-if ($res = sqlStatement("select * from transactions where authorized=0 and groupname='$groupname'")) {
+if ($res = sqlStatement("select * from transactions where authorized=0 and groupname=?", array($groupname) )) {
 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
 		$result2[$iter] = $row;
 
 if ($result2) {
 foreach ($result2 as $iter) {
 
-$authorize{$iter{"pid"}}{"transaction"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"title"} . ": " . strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+$authorize{$iter{"pid"}}{"transaction"} .= "<span class=small>" .
+      htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
+      htmlspecialchars($iter{"title"} . ": " . strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+      "</span><br>\n";
 
 }
 
-//$authorize[$iter{"pid"}]{"transaction"} = substr($authorize[$iter{"pid"}]{"transaction"},0,strlen($authorize[$iter{"pid"}]{"transaction"}));
-
 }
 }
 
 if (empty($GLOBALS['ignore_pnotes_authorization'])) {
   //fetch pnotes information, exclude ALL deleted notes
-  if ($res = sqlStatement("select * from pnotes where authorized=0 and deleted!=1 and groupname='$groupname'")) {
+  if ($res = sqlStatement("select * from pnotes where authorized=0 and deleted!=1 and groupname=?", array($groupname) )) {
     for ($iter = 0;$row = sqlFetchArray($res);$iter++) $result3[$iter] = $row;
     if ($result3) {
       foreach ($result3 as $iter) {
         $authorize{$iter{"pid"}}{"pnotes"} .= "<span class=small>" .
-          $iter{"user"} . ": </span><span class=text>" .
-          strterm($iter{"body"},25) . " " .
-          date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+          htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
+          htmlspecialchars(strterm($iter{"body"},25) . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+	  "</span><br>\n";
       }
     }
   }
 }
 
 //fetch forms information:
-if ($res = sqlStatement("select * from forms where authorized=0 and groupname='$groupname'")) {
+if ($res = sqlStatement("select * from forms where authorized=0 and groupname=?", array($groupname) )) {
 for ($iter = 0;$row = sqlFetchArray($res);$iter++)
 		$result4[$iter] = $row;
 
 if ($result4) {
 foreach ($result4 as $iter) {
 
-$authorize{$iter{"pid"}}{"forms"} .= "<span class=small>" . $iter{"user"} . ": </span><span class=text>" . $iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})) . "</span><br>\n";
+$authorize{$iter{"pid"}}{"forms"} .= "<span class=small>" .
+      htmlspecialchars($iter{"user"},ENT_NOQUOTES) . ": </span><span class=text>" .
+      htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y",strtotime($iter{"date"})),ENT_NOQUOTES) .
+      "</span><br>\n";
 
 }
 
-//$authorize[$iter{"pid"}]{"forms"} = substr($authorize[$iter{"pid"}]{"forms"},0,strlen($authorize[$iter{"pid"}]{"forms"}));
-
 }
 }
 ?>
@@ -110,14 +122,17 @@
 	
 	$name = getPatientData($ppid);
 	
-	echo "<tr><td valign=top><span class=bold>". $name{"fname"} . " " . $name{"lname"} ."</span><br><a class=link_submit href='authorizations_full.php?mode=authorize&pid=$ppid'>".xl('Authorize')."</a></td>\n";
-	echo "<td valign=top><span class=bold>".xl('Billing').":</span><span class=text><br>" . $patient{"billing"} . "</td>\n";
-	
-	echo "<td valign=top><span class=bold>".xl('Transactions').":</span><span class=text><br>" . $patient{"transaction"} . "</td>\n";
-	
-	echo "<td valign=top><span class=bold>".xl('Patient Notes').":</span><span class=text><br>" . $patient{"pnotes"} . "</td>\n";
-	
-	echo "<td valign=top><span class=bold>".xl('Encounter Forms').":</span><span class=text><br>" . $patient{"forms"} . "</td>\n";
+	echo "<tr><td valign=top><span class=bold>". htmlspecialchars($name{"fname"} . " " . $name{"lname"},ENT_NOQUOTES) .
+             "</span><br><a class=link_submit href='authorizations_full.php?mode=authorize&pid=" .
+             htmlspecialchars($ppid,ENT_QUOTES) . "'>" . htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . "</a></td>\n";
+	echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).
+             ":</span><span class=text><br>" . $patient{"billing"} . "</td>\n";
+	echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).
+             ":</span><span class=text><br>" . $patient{"transaction"} . "</td>\n";
+	echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).
+             ":</span><span class=text><br>" . $patient{"pnotes"} . "</td>\n";
+	echo "<td valign=top><span class=bold>".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).
+             ":</span><span class=text><br>" . $patient{"forms"} . "</td>\n";
 	echo "</tr>\n";
 	$count++;
 }
diff --git a/library/patient.inc b/library/patient.inc
index c5d75a960fb..371743995cc 100644
--- a/library/patient.inc
+++ b/library/patient.inc
@@ -266,8 +266,8 @@ function getProviderName($providerID) {
 }
 
 function getProviderId($providerName) {
-    $query = "select id from users where username = '". mysql_real_escape_string($providerName)."'";
-    $rez = sqlStatement($query);
+    $query = "select id from users where username = ?";
+    $rez = sqlStatement($query, array($providerName) );
     for($iter=0; $row=sqlFetchArray($rez); $iter++)
         $returnval[$iter]=$row;
     return $returnval;

" . - xl('Some authorizations were not displayed. Click here to view all') . + htmlspecialchars(xl('Some authorizations were not displayed. Click here to view all'),ENT_NOQUOTES) . "
".xl('Provider').": " . - $providerName{"lname"} . "	".xl('Billing').": " . + "select lname from users where id = ?", array($name['providerID']) )); + + echo "	".htmlspecialchars(xl('Provider'),ENT_NOQUOTES).": " . + htmlspecialchars($providerName{"lname"},ENT_NOQUOTES) . "	".htmlspecialchars(xl('Billing'),ENT_NOQUOTES).": " . $patient{"billing"} . "	".xl('Transactions').": " . + echo "	".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES).": " . $patient{"transaction"} . "	".xl('Patient Notes').": " . + echo "	".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES).": " . $patient{"pnotes"} . "	".xl('Encounter Forms').": " . + echo "	".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES).": " . $patient{"forms"} . "
". $name{"fname"} . " " . $name{"lname"} ." ".xl('Authorize')."	".xl('Billing').": " . $patient{"billing"} . "	".xl('Transactions').": " . $patient{"transaction"} . "	".xl('Patient Notes').": " . $patient{"pnotes"} . "	".xl('Encounter Forms').": " . $patient{"forms"} . "
". htmlspecialchars($name{"fname"} . " " . $name{"lname"},ENT_NOQUOTES) . + " " . htmlspecialchars(xl('Authorize'),ENT_NOQUOTES) . "	".htmlspecialchars(xl('Billing'),ENT_NOQUOTES). + ": " . $patient{"billing"} . "	".htmlspecialchars(xl('Transactions'),ENT_NOQUOTES). + ": " . $patient{"transaction"} . "	".htmlspecialchars(xl('Patient Notes'),ENT_NOQUOTES). + ": " . $patient{"pnotes"} . "	".htmlspecialchars(xl('Encounter Forms'),ENT_NOQUOTES). + ": " . $patient{"forms"} . "