diff --git a/custom/referral_template.html b/custom/referral_template.html
index c111eef30c3..98f5cc11890 100644
--- a/custom/referral_template.html
+++ b/custom/referral_template.html
@@ -87,7 +87,7 @@
{label_date} |
- {ref_refer_date} |
+ {ref_refer_date} |
@@ -175,7 +175,7 @@
{label_date} |
- {ref_refer_date} |
+ {ref_refer_date} |
diff --git a/interface/patient_file/history/history_title.php b/interface/patient_file/history/history_title.php
index 5422997107c..9054cce7cd9 100644
--- a/interface/patient_file/history/history_title.php
+++ b/interface/patient_file/history/history_title.php
@@ -1,4 +1,13 @@
get_phone()) $info .= ', Pharm: ' . $pharmacy->get_phone();
+ if ($pharmacy->get_phone()) $info .= ', ' . xl('Pharm') . ': ' . $pharmacy->get_phone();
}
+
+ //escape variables for output (to prevent xss attacks)
+ $patient_esc = htmlspecialchars( $result{"fname"} . " " . $result{"lname"}, ENT_NOQUOTES);
+ $info_esc = htmlspecialchars( $info, ENT_NOQUOTES);
+ $provider_esc = htmlspecialchars( $provider_results{"fname"}.' '.$provider_results{"lname"}, ENT_NOQUOTES);
?>
-
- ()
+
+ ()
|
-
- :
+ |
+ :
|
-
+ |
|
diff --git a/interface/patient_file/transaction/add_transaction.php b/interface/patient_file/transaction/add_transaction.php
index 8d86292081a..20fe63a7c81 100644
--- a/interface/patient_file/transaction/add_transaction.php
+++ b/interface/patient_file/transaction/add_transaction.php
@@ -2,6 +2,14 @@
// add_transaction is a misnomer, as this script will now also edit
// existing transactions.
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
require_once("../../globals.php");
require_once("$srcdir/transactions.inc");
require_once("$srcdir/options.inc.php");
@@ -17,18 +25,15 @@
$body_onload_code="";
if ($inmode) { /* For edit func */
$inedit = sqlStatement("SELECT * FROM transactions " .
- "WHERE id = '".$transid."'");
+ "WHERE id = ?", array($transid) );
while ($inmoderow = sqlFetchArray($inedit)) {
$body = $inmoderow['body'];
}
}
if ($mode) {
- $sets =
- "title='" . $_POST['title'] . "'" .
- ", user = '" . $_SESSION['authUser'] . "'" .
- ", groupname = '" . $_SESSION['authProvider'] . "'" .
- ", authorized = '" . $userauthorized . "'" .
- ", date = NOW()";
+ //use sql placemaker
+ $sets = "title=?, user = ?, groupname = ?, authorized = ?, date = NOW()";
+ $sqlBindArray = array($_POST['title'], $_SESSION['authUser'], $_SESSION['authProvider'], $userauthorized);
$fres = sqlStatement("SELECT * FROM layout_options " .
"WHERE form_id = 'REF' AND uor > 0 AND field_id != '' " .
@@ -40,14 +45,20 @@
if ($field_id == 'body' && $title != 'Referral') {
$value = $_POST["body"];
}
- $sets .= ", $field_id = '$value'";
+ //use sql placemaker (note need to explicitly escape the column label)
+ $sets .= ", ".add_escape_custom($field_id)." = ?";
+ array_push($sqlBindArray,$value);
}
if ($transid) {
- sqlStatement("UPDATE transactions SET $sets WHERE id = '$transid'");
+ //use sql placemaker
+ array_push($sqlBindArray,$transid);
+ sqlStatement("UPDATE transactions SET $sets WHERE id = ?", $sqlBindArray);
}
else {
- $sets .= ", pid = '$pid'";
- $transid = sqlInsert("INSERT INTO transactions SET $sets");
+ //use sql placemaker
+ array_push($sqlBindArray,$pid);
+ $sets .= ", pid = ?";
+ $transid = sqlInsert("INSERT INTO transactions SET $sets", $sqlBindArray);
}
if ($GLOBALS['concurrent_layout'])
@@ -56,6 +67,8 @@
$body_onload_code = "javascript:parent.Transactions.location.href='transactions.php';";
}
+/************************************
+//Migrated this to the list_options engine (transactions list)
$trans_types = array(
'Referral' => xl('Referral'),
'Patient Request' => xl('Patient Request'),
@@ -63,6 +76,7 @@
'Legal' => xl('Legal'),
'Billing' => xl('Billing'),
);
+************************************/
$CPR = 4; // cells per row
@@ -122,7 +136,7 @@ function end_group() {