diff --git a/custom/referral_template.html b/custom/referral_template.html
index c111eef30c3..98f5cc11890 100644
--- a/custom/referral_template.html
+++ b/custom/referral_template.html
@@ -87,7 +87,7 @@
      </tr>
      <tr>
       <td nowrap>{label_date}</td>
-      <td nowrap>{ref_refer_date}</td>
+      <td nowrap>{ref_refer_date}&nbsp;</td>
      </tr>
     </table>
    </td>
@@ -175,7 +175,7 @@
      </tr>
      <tr>
       <td nowrap>{label_date}</td>
-      <td nowrap>{ref_refer_date}</td>
+      <td nowrap>{ref_refer_date}&nbsp;</td>
      </tr>
     </table>
    </td>
diff --git a/interface/patient_file/history/history_title.php b/interface/patient_file/history/history_title.php
index 5422997107c..9054cce7cd9 100644
--- a/interface/patient_file/history/history_title.php
+++ b/interface/patient_file/history/history_title.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/patient.inc");
 require_once("$srcdir/classes/Pharmacy.class.php");
@@ -15,29 +24,34 @@
 
 <?php
  $result = getPatientData($pid, "fname,lname,pid,pubpid,phone_home,pharmacy_id,DOB,DATE_FORMAT(DOB,'%Y%m%d') as DOB_YMD");
- $provider_results = sqlQuery("select * from users where username='".$_SESSION{"authUser"}."'");
+ $provider_results = sqlQuery("select * from users where username=?", array($_SESSION{"authUser"}) );
  $age = getPatientAge($result["DOB_YMD"]);
 
  $info = 'ID: ' . $result['pubpid'];
- if ($result['DOB']) $info .= ', DOB: ' . $result['DOB'] . ', Age: ' . $age;
- if ($result['phone_home']) $info .= ', Home: ' . $result['phone_home'];
+ if ($result['DOB']) $info .= ', ' . xl('DOB') . ': ' . $result['DOB'] . ', ' . xl('Age') . ': ' . $age;
+ if ($result['phone_home']) $info .= ', ' . xl('Home') . ': ' . $result['phone_home'];
 
  if ($result['pharmacy_id']) {
   $pharmacy = new Pharmacy($result['pharmacy_id']);
-  if ($pharmacy->get_phone()) $info .= ', Pharm: ' . $pharmacy->get_phone();
+  if ($pharmacy->get_phone()) $info .= ', ' . xl('Pharm') . ': ' . $pharmacy->get_phone();
  }
+
+ //escape variables for output (to prevent xss attacks)
+ $patient_esc = htmlspecialchars( $result{"fname"} . " " . $result{"lname"}, ENT_NOQUOTES);
+ $info_esc = htmlspecialchars( $info, ENT_NOQUOTES);
+ $provider_esc = htmlspecialchars( $provider_results{"fname"}.' '.$provider_results{"lname"}, ENT_NOQUOTES);
 ?>
 
 <table border="0" cellpadding="0" cellspacing="0" width="100%" height="100%">
  <tr>
   <td style="width:45%; vertical-align:middle; white-space: nowrap">
-   <span class="title_bar_top"><?php echo $result{"fname"} . " " . $result{"lname"};?></span>
-   <span style="font-size:0.7em;">(<?php echo $info ?>)</span>
+   <span class="title_bar_top"><?php echo $patient_esc; ?></span>
+   <span style="font-size:0.7em;">(<?php echo $info_esc; ?>)</span>
   </td>
-  <td style="width:35%; text-align: center; vertical-align:middle; white-space: nowrap">
-   <span class="title_bar_top"><?php xl('Logged in as','e'); ?>: <?php echo $provider_results{"fname"}.' '.$provider_results{"lname"};?></span>
+  <td style="width:35%; vertical-align:middle; white-space: nowrap; text-align:center">
+   <span class="title_bar_top"><?php htmlspecialchars( xl('Logged in as','e'), ENT_NOQUOTES); ?>: <?php echo $provider_esc; ?></span>
   </td>
-  <td style="width:20%; text-align: right; vertical-align:middle; white-space: nowrap">
+  <td style="width:20%; vertical-align:middle; white-space: nowrap; text-align:right">
    &nbsp;
   </td>
  </tr>
diff --git a/interface/patient_file/transaction/add_transaction.php b/interface/patient_file/transaction/add_transaction.php
index 8d86292081a..20fe63a7c81 100644
--- a/interface/patient_file/transaction/add_transaction.php
+++ b/interface/patient_file/transaction/add_transaction.php
@@ -2,6 +2,14 @@
 // add_transaction is a misnomer, as this script will now also edit
 // existing transactions.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 require_once("../../globals.php");
 require_once("$srcdir/transactions.inc");
 require_once("$srcdir/options.inc.php");
@@ -17,18 +25,15 @@
 $body_onload_code="";
 if ($inmode) {		/*	For edit func */
   $inedit = sqlStatement("SELECT * FROM transactions " .
-    "WHERE id = '".$transid."'");
+    "WHERE id = ?", array($transid) );
   while ($inmoderow = sqlFetchArray($inedit)) {
     $body = $inmoderow['body'];
   }
 }
 if ($mode) {
-  $sets =
-    "title='"          . $_POST['title'] . "'" .
-    ", user = '"       . $_SESSION['authUser'] . "'" .
-    ", groupname = '"  . $_SESSION['authProvider'] . "'" .
-    ", authorized = '" . $userauthorized . "'" .
-    ", date = NOW()";
+  //use sql placemaker
+  $sets = "title=?, user = ?, groupname = ?, authorized = ?, date = NOW()";
+  $sqlBindArray = array($_POST['title'], $_SESSION['authUser'], $_SESSION['authProvider'], $userauthorized);
 
   $fres = sqlStatement("SELECT * FROM layout_options " .
     "WHERE form_id = 'REF' AND uor > 0 AND field_id != '' " .
@@ -40,14 +45,20 @@
     if ($field_id == 'body' && $title != 'Referral') {
       $value = $_POST["body"];
     }
-    $sets .= ", $field_id = '$value'";
+    //use sql placemaker (note need to explicitly escape the column label)
+    $sets .= ", ".add_escape_custom($field_id)." = ?";
+    array_push($sqlBindArray,$value);
   }
   if ($transid) {
-    sqlStatement("UPDATE transactions SET $sets WHERE id = '$transid'");
+    //use sql placemaker
+    array_push($sqlBindArray,$transid);
+    sqlStatement("UPDATE transactions SET $sets WHERE id = ?", $sqlBindArray);
   }
   else {
-    $sets .= ", pid = '$pid'";
-    $transid = sqlInsert("INSERT INTO transactions SET $sets");
+    //use sql placemaker
+    array_push($sqlBindArray,$pid);
+    $sets .= ", pid = ?";
+    $transid = sqlInsert("INSERT INTO transactions SET $sets", $sqlBindArray);
   }
 
   if ($GLOBALS['concurrent_layout'])
@@ -56,6 +67,8 @@
     $body_onload_code = "javascript:parent.Transactions.location.href='transactions.php';";
 }
 
+/************************************
+//Migrated this to the list_options engine (transactions list)
 $trans_types = array(
   'Referral'          => xl('Referral'),
   'Patient Request'   => xl('Patient Request'),
@@ -63,6 +76,7 @@
   'Legal'             => xl('Legal'),
   'Billing'           => xl('Billing'),
 );
+************************************/
 
 $CPR = 4; // cells per row
 
@@ -122,7 +136,7 @@ function end_group() {
 </script>
 <script language="JavaScript">
 
-var mypcc = '<?php echo $GLOBALS['phone_country_code'] ?>';
+var mypcc = '<?php echo htmlspecialchars( $GLOBALS['phone_country_code'], ENT_QUOTES); ?>';
 
 function titleChanged() {
  var sel = document.forms[0].title;
@@ -169,7 +183,7 @@ function sel_related() {
 // Process click on Delete link.
 function deleteme() {
 // onclick='return deleteme()'
- dlgopen('../deleter.php?transaction=<?php echo $transid ?>', '_blank', 500, 450);
+ dlgopen('../deleter.php?transaction=<?php echo htmlspecialchars( $transid, ENT_QUOTES); ?>', '_blank', 500, 450);
  return false;
 }
 
@@ -201,11 +215,11 @@ function validate(f) {
  }
 
  var msg = "";
- msg += "<?php xl('The following fields are required', 'e' ); ?>:\n\n";
+ msg += "<?php echo htmlspecialchars( xl('The following fields are required'), ENT_QUOTES); ?>:\n\n";
  for ( var i = 0; i < errMsgs.length; i++ ) {
 	msg += errMsgs[i] + "\n";
  }
- msg += "\n<?php xl('Please fill them in before continuing.', 'e'); ?>";
+ msg += "\n<?php echo htmlspecialchars( xl('Please fill them in before continuing.'), ENT_QUOTES); ?>";
 
  if ( errMsgs.length > 0 ) {
 	alert(msg);
@@ -236,20 +250,20 @@ function submitme() {
 
 </head>
 <body class="body_top" onload="<?php echo $body_onload_code; ?>" >
-<form name='new_transaction' method='post' action='add_transaction.php?transid=<?php echo $transid ?>' onsubmit='return validate(this)'>
+<form name='new_transaction' method='post' action='add_transaction.php?transid=<?php echo htmlspecialchars( $transid, ENT_QUOTES); ?>' onsubmit='return validate(this)'>
 <input type='hidden' name='mode' value='add'>
 
 	<table>
 	    <tr>
             <td>
-                <b><?php xl('Add/Edit Patient Transaction','e'); ?></b>&nbsp;</td><td>
+                <b><?php echo htmlspecialchars( xl('Add/Edit Patient Transaction'), ENT_NOQUOTES); ?></b>&nbsp;</td><td>
                  <a href="javascript:;"  <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="submitme();">
-                    <span><?php xl('Save','e'); ?></span>
+                    <span><?php echo htmlspecialchars( xl('Save'), ENT_NOQUOTES); ?></span>
                  </a>
              </td>
              <td>
                 <a href="transactions.php"  <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-                    <span><?php xl('Cancel','e'); ?></span>
+                    <span><?php echo htmlspecialchars( xl('Cancel'), ENT_NOQUOTES); ?></span>
                 </a>
             </td>
         </tr>
@@ -257,17 +271,8 @@ function submitme() {
 
 	<table class="text">
 	    <tr><td>
-        <?php xl('Transaction Type','e'); ?>:&nbsp;</td><td>
-        <select name='title' onchange='titleChanged()'>
-        <?php
-        $db_title=$_REQUEST['title'];
-        foreach ($trans_types as $key => $value) {
-          echo "    <option value='$key'";
-          if ($key == $db_title) echo " selected";
-          echo ">$value</option>\n";
-        }
-        ?>
-        </select>
+        <?php echo htmlspecialchars( xl('Transaction Type'), ENT_NOQUOTES); ?>:&nbsp;</td><td>
+	<?php echo generate_select_list('title','transactions',$_REQUEST['title'],'','','','titleChanged()'); ?>
         </td></tr>
 	</table>
 
@@ -302,7 +307,7 @@ function submitme() {
     }
     else if ($field_id == 'body' ) {
       $tmp = sqlQuery("SELECT reason FROM form_encounter WHERE " .
-        "pid = '$pid' ORDER BY date DESC LIMIT 1");
+        "pid = ? ORDER BY date DESC LIMIT 1", array($pid) );
       if (!empty($tmp)) $currvalue = $tmp['reason'];
     }
   }
@@ -314,7 +319,10 @@ function submitme() {
     $last_group = $this_group;
 	if($group_seq==1)	echo "<li class='current'>";
 	else				echo "<li class=''>";
-	echo "<a href='/play/javascript-tabbed-navigation/' id='div_$group_seq'>".xl_layout_label($group_name)."</a></li>";
+        $group_seq_esc = htmlspecialchars( $group_seq, ENT_QUOTES);
+        $group_name_show = htmlspecialchars( xl_layout_label($group_name), ENT_NOQUOTES);
+	echo "<a href='/play/javascript-tabbed-navigation/' id='div_$group_seq_esc'>".
+	    "$group_name_show</a></li>";
   }
   ++$item_count;
 }
@@ -349,7 +357,7 @@ function submitme() {
     }
     else if ($field_id == 'body' && $transid > 0 ) {
 	   $tmp = sqlQuery("SELECT reason FROM form_encounter WHERE " .
-        "pid = '$pid' ORDER BY date DESC LIMIT 1");
+        "pid = ? ORDER BY date DESC LIMIT 1", array($pid) );
       if (!empty($tmp)) $currvalue = $tmp['reason'];
     }
   }
@@ -360,8 +368,9 @@ function submitme() {
     $group_seq  = substr($this_group, 0, 1);
     $group_name = substr($this_group, 1);
     $last_group = $this_group;
-	if($group_seq==1)	echo "<div class='tab current' id='div_$group_seq'>";
-	else				echo "<div class='tab' id='div_$group_seq'>";
+    $group_seq_esc = htmlspecialchars( $group_seq, ENT_QUOTES);
+	if($group_seq==1)	echo "<div class='tab current' id='div_$group_seq_esc'>";
+	else				echo "<div class='tab' id='div_$group_seq_esc'>";
     echo " <table border='0' cellpadding='0'>\n";
     $display_style = 'none';
   }
@@ -377,7 +386,8 @@ function submitme() {
   // Handle starting of a new label cell.
   if ($titlecols > 0) {
     end_cell();
-    echo "<td width='70' valign='top' colspan='$titlecols'";
+    $titlecols_esc = htmlspecialchars( $titlecols, ENT_QUOTES);
+    echo "<td width='70' valign='top' colspan='$titlecols_esc'";
     echo ($frow['uor'] == 2) ? " class='required'" : " class='bold'";
     if ($cell_count == 2) echo " style='padding-left:10pt'";
     echo ">";
@@ -388,14 +398,15 @@ function submitme() {
   echo "<b>";
 
   // Modified 6-09 by BM - Translate if applicable
-  if ($frow['title']) echo (xl_layout_label($frow['title']) . ":"); else echo "&nbsp;";
+  if ($frow['title']) echo (htmlspecialchars( xl_layout_label($frow['title']), ENT_NOQUOTES) . ":"); else echo "&nbsp;";
 
   echo "</b>";
 
   // Handle starting of a new data cell.
   if ($datacols > 0) {
     end_cell();
-    echo "<td valign='top' colspan='$datacols' class='text'";
+    $datacols_esc = htmlspecialchars( $datacols, ENT_QUOTES);
+    echo "<td valign='top' colspan='$datacols_esc' class='text'";
     if ($cell_count > 0) echo " style='padding-left:5pt'";
     echo ">";
     $cell_count += $datacols;
@@ -414,8 +425,8 @@ function submitme() {
 </div>
 <p>
 <div id='otherdiv' style='display:none'>
-<span class='bold'><?php xl('Details','e'); ?>:</span><br>
-<textarea name='body' rows='6' cols='40' wrap='virtual'><?php echo $body; ?>
+<span class='bold'><?php echo htmlspecialchars( xl('Details'), ENT_NOQUOTES); ?>:</span><br>
+<textarea name='body' rows='6' cols='40' wrap='virtual'><?php echo htmlspecialchars( $body, ENT_NOQUOTES); ?>
 </textarea>
 </div>
 </p>
diff --git a/interface/patient_file/transaction/patient_transaction.php b/interface/patient_file/transaction/patient_transaction.php
index 10dbf3ca908..d82939d36cb 100644
--- a/interface/patient_file/transaction/patient_transaction.php
+++ b/interface/patient_file/transaction/patient_transaction.php
@@ -1,11 +1,20 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 ?>
 
 <HTML>
 <head>
 <?php html_header_show();?>
-<TITLE><?php xl('Patient Summary','e'); ?>
+<TITLE><?php echo htmlspecialchars( xl('Patient Summary'), ENT_NOQUOTES); ?>
 </TITLE>
 </HEAD>
 <frameset rows="50%,50%" cols="*">
diff --git a/interface/patient_file/transaction/print_referral.php b/interface/patient_file/transaction/print_referral.php
index 93d2ef17bc5..6226b9b6070 100644
--- a/interface/patient_file/transaction/print_referral.php
+++ b/interface/patient_file/transaction/print_referral.php
@@ -6,6 +6,14 @@
 // as published by the Free Software Foundation; either version 2
 // of the License, or (at your option) any later version.
 
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 require_once("$srcdir/transactions.inc");
 require_once("$srcdir/options.inc.php");
@@ -14,38 +22,38 @@
 $template_file = "$webserver_root/custom/referral_template.html";
 
 $TEMPLATE_LABELS = array(
-  'label_clinic_id'             => xl('Clinic ID'),
-  'label_control_no'            => xl('Control No.'),
-  'label_date'                  => xl('Date'),
-  'label_webpage_title'         => xl('Referral Form'),
-  'label_form1_title'           => xl('REFERRAL FORM'),
-  'label_name'                  => xl('Name'),
-  'label_age'                   => xl('Age'),
-  'label_gender'                => xl('Gender'),
-  'label_address'               => xl('Address'),
-  'label_postal'                => xl('Postal'),
-  'label_phone'                 => xl('Phone'),
-  'label_ref_reason'            => xl('Reference Reason'),
-  'label_diagnosis'             => xl('Diagnosis'),
-  'label_ref_class'             => xl('Reference classification (risk level)'),
-  'label_dr_name_sig'           => xl('Doctor\'s name and signature'),
-  'label_refer_to'              => xl('Referred to'),
-  'label_clinic'                => xl('Health centre/clinic'),
-  'label_history_summary'       => xl('Client medical history summary'),
-  'label_bp'                    => xl('Blood pressure'),
-  'label_ht'                    => xl('Height'),
-  'label_wt'                    => xl('Weight'),
-  'label_ref_name_sig'          => xl('Referer name and signature'),
-  'label_special_name_sig'      => xl('Specialist name and signature'),
-  'label_form2_title'           => xl('COUNTER REFERRAL FORM'),
-  'label_findings'              => xl('Findings'),
-  'label_final_diagnosis'       => xl('Final Diagnosis'),
-  'label_services_provided'     => xl('Services provided'),
-  'label_recommendations'       => xl('Recommendations and treatment'),
-  'label_scripts_and_referrals' => xl('Prescriptions and other referrals'),
-  'label_subhead_clinic'        => xl('Clinic Copy'),
-  'label_subhead_patient'       => xl('Client Copy'),
-  'label_subhead_referred'      => xl('For Referred Organization/Practitioner'),
+  'label_clinic_id'             => htmlspecialchars( xl('Clinic ID')),
+  'label_control_no'            => htmlspecialchars( xl('Control No.')),
+  'label_date'                  => htmlspecialchars( xl('Date')),
+  'label_webpage_title'         => htmlspecialchars( xl('Referral Form')),
+  'label_form1_title'           => htmlspecialchars( xl('REFERRAL FORM')),
+  'label_name'                  => htmlspecialchars( xl('Name')),
+  'label_age'                   => htmlspecialchars( xl('Age')),
+  'label_gender'                => htmlspecialchars( xl('Gender')),
+  'label_address'               => htmlspecialchars( xl('Address')),
+  'label_postal'                => htmlspecialchars( xl('Postal')),
+  'label_phone'                 => htmlspecialchars( xl('Phone')),
+  'label_ref_reason'            => htmlspecialchars( xl('Reference Reason')),
+  'label_diagnosis'             => htmlspecialchars( xl('Diagnosis')),
+  'label_ref_class'             => htmlspecialchars( xl('Reference classification (risk level)')),
+  'label_dr_name_sig'           => htmlspecialchars( xl('Doctor\'s name and signature')),
+  'label_refer_to'              => htmlspecialchars( xl('Referred to')),
+  'label_clinic'                => htmlspecialchars( xl('Health centre/clinic')),
+  'label_history_summary'       => htmlspecialchars( xl('Client medical history summary')),
+  'label_bp'                    => htmlspecialchars( xl('Blood pressure')),
+  'label_ht'                    => htmlspecialchars( xl('Height')),
+  'label_wt'                    => htmlspecialchars( xl('Weight')),
+  'label_ref_name_sig'          => htmlspecialchars( xl('Referer name and signature')),
+  'label_special_name_sig'      => htmlspecialchars( xl('Specialist name and signature')),
+  'label_form2_title'           => htmlspecialchars( xl('COUNTER REFERRAL FORM')),
+  'label_findings'              => htmlspecialchars( xl('Findings')),
+  'label_final_diagnosis'       => htmlspecialchars( xl('Final Diagnosis')),
+  'label_services_provided'     => htmlspecialchars( xl('Services provided')),
+  'label_recommendations'       => htmlspecialchars( xl('Recommendations and treatment')),
+  'label_scripts_and_referrals' => htmlspecialchars( xl('Prescriptions and other referrals')),
+  'label_subhead_clinic'        => htmlspecialchars( xl('Clinic Copy')),
+  'label_subhead_patient'       => htmlspecialchars( xl('Client Copy')),
+  'label_subhead_referred'      => htmlspecialchars( xl('For Referred Organization/Practitioner'))
 );
 
 if (!is_file($template_file)) die("$template_file does not exist!");
@@ -79,10 +87,10 @@
   $patient_age = '';
 }
 
-$frrow = sqlQuery("SELECT * FROM users WHERE id = '" . $trow['refer_from'] . "'");
+$frrow = sqlQuery("SELECT * FROM users WHERE id = ?", array($trow['refer_from']) );
 if (empty($frrow)) $frrow = array();
 
-$torow = sqlQuery("SELECT * FROM users WHERE id = '" . $trow['refer_to'] . "'");
+$torow = sqlQuery("SELECT * FROM users WHERE id = ?", array($trow['refer_to']) );
 if (empty($torow)) $torow = array(
   'organization' => '',
   'street' => '',
@@ -93,8 +101,8 @@
 );
 
 $vrow = sqlQuery("SELECT * FROM form_vitals WHERE " .
-  "pid = '$patient_id' AND date <= '$refer_date 23:59:59' " .
-  "ORDER BY date DESC LIMIT 1");
+  "pid = ? AND date <= ? " .
+  "ORDER BY date DESC LIMIT 1", array($patient_id, $refer_date." 23:59:59") );
 if (empty($vrow)) $vrow = array(
   'bps' => '',
   'bpd' => '',
@@ -107,7 +115,6 @@
 $facrow = getFacility(-1);
 
 // Make some items HTML-friendly if they are empty.
-if (empty($trow['refer_date'])) $trow['refer_date'] = '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
 if (empty($trow['id'])) $trow['id'] = '&nbsp;';
 if (empty($patient_id)) $patient_id = '&nbsp;';
 if (empty($facrow['facility_npi'])) $facrow['facility_npi'] = '&nbsp;';
diff --git a/interface/patient_file/transaction/transaction_title.php b/interface/patient_file/transaction/transaction_title.php
index 9dc66b462b5..9054cce7cd9 100644
--- a/interface/patient_file/transaction/transaction_title.php
+++ b/interface/patient_file/transaction/transaction_title.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/patient.inc");
 require_once("$srcdir/classes/Pharmacy.class.php");
@@ -15,7 +24,7 @@
 
 <?php
  $result = getPatientData($pid, "fname,lname,pid,pubpid,phone_home,pharmacy_id,DOB,DATE_FORMAT(DOB,'%Y%m%d') as DOB_YMD");
- $provider_results = sqlQuery("select * from users where username='" . $_SESSION{"authUser"} . "'");
+ $provider_results = sqlQuery("select * from users where username=?", array($_SESSION{"authUser"}) );
  $age = getPatientAge($result["DOB_YMD"]);
 
  $info = 'ID: ' . $result['pubpid'];
@@ -24,18 +33,23 @@
 
  if ($result['pharmacy_id']) {
   $pharmacy = new Pharmacy($result['pharmacy_id']);
-  if ($pharmacy->get_phone()) $info .= ', Pharm: ' . $pharmacy->get_phone();
+  if ($pharmacy->get_phone()) $info .= ', ' . xl('Pharm') . ': ' . $pharmacy->get_phone();
  }
+
+ //escape variables for output (to prevent xss attacks)
+ $patient_esc = htmlspecialchars( $result{"fname"} . " " . $result{"lname"}, ENT_NOQUOTES);
+ $info_esc = htmlspecialchars( $info, ENT_NOQUOTES);
+ $provider_esc = htmlspecialchars( $provider_results{"fname"}.' '.$provider_results{"lname"}, ENT_NOQUOTES);
 ?>
 
 <table border="0" cellpadding="0" cellspacing="0" width="100%" height="100%">
  <tr>
   <td style="width:45%; vertical-align:middle; white-space: nowrap">
-   <span class="title_bar_top"><?php echo $result{"fname"} . " " . $result{"lname"};?></span>
-   <span style="font-size:0.7em;">(<?php echo $info ?>)</span>
+   <span class="title_bar_top"><?php echo $patient_esc; ?></span>
+   <span style="font-size:0.7em;">(<?php echo $info_esc; ?>)</span>
   </td>
   <td style="width:35%; vertical-align:middle; white-space: nowrap; text-align:center">
-   <span class="title_bar_top"><?php xl('Logged in as','e'); ?>: <?php echo $provider_results{"fname"}.' '.$provider_results{"lname"};?></span>
+   <span class="title_bar_top"><?php htmlspecialchars( xl('Logged in as','e'), ENT_NOQUOTES); ?>: <?php echo $provider_esc; ?></span>
   </td>
   <td style="width:20%; vertical-align:middle; white-space: nowrap; text-align:right">
    &nbsp;
diff --git a/interface/patient_file/transaction/transactions.php b/interface/patient_file/transaction/transactions.php
index c0d95d16b63..7fa00fbe67d 100644
--- a/interface/patient_file/transaction/transactions.php
+++ b/interface/patient_file/transaction/transactions.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/transactions.inc");
 ?>
@@ -42,15 +51,15 @@ function toggle( target, div ) {
     <table>
     <tr>
         <td>
-            <span class="title"><?php xl('Patient Transactions','e'); ?></span>&nbsp;</td>
+            <span class="title"><?php echo htmlspecialchars( xl('Patient Transactions'), ENT_NOQUOTES); ?></span>&nbsp;</td>
         <td>
             <!-- Define CSS Buttons -->
             <a href="add_transaction.php"  <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> class="css_button" onclick="top.restoreSession()">
-            <span><?php xl('Add','e'); ?></span></a>
+            <span><?php echo htmlspecialchars( xl('Add'), ENT_NOQUOTES); ?></span></a>
         </td>
         <td>
             <a href="print_referral.php" <?php if (!$GLOBALS['concurrent_layout']) echo "target='Main'"; ?> onclick="top.restoreSession()" class="css_button" >
-            <span><?php xl('Print Blank Referral Form','e'); ?></span></a>
+            <span><?php echo htmlspecialchars( xl('Print Blank Referral Form'), ENT_NOQUOTES); ?></span></a>
         </td>
     </tr>
     </table>
@@ -59,8 +68,7 @@ function toggle( target, div ) {
     <?php if ($result = getTransByPid($pid)) { ?>
         <div id='transactions_div'></div>
     <?php } else { ?>
-        <!-- English until parameterized translations are supported -->
-        <span class="text">Currently there are no transcations. Please <a href='add_transaction.php'>click here</a> to add one.</span>
+        <span class="text"><?php echo htmlspecialchars( xl('There are no transactions on file for this patient.'), ENT_NOQUOTES); ?></span>
     <?php } ?>
     </div>
 </body>
diff --git a/interface/patient_file/transaction/transactions_full.php b/interface/patient_file/transaction/transactions_full.php
index 9d93debfd20..c877a05e784 100644
--- a/interface/patient_file/transaction/transactions_full.php
+++ b/interface/patient_file/transaction/transactions_full.php
@@ -1,4 +1,13 @@
 <?php
+
+//SANITIZE ALL ESCAPES
+$sanitize_all_escapes=true;
+//
+
+//STOP FAKE REGISTER GLOBALS
+$fake_register_globals=false;
+//
+
 include_once("../../globals.php");
 include_once("$srcdir/transactions.inc");
 require_once("$srcdir/options.inc.php");
@@ -26,8 +35,11 @@ function imdeleted() {
 if ($result = getTransByPid($pid)) {
 
 	// Print Heading .. to have better Understanding of the Listed Transactions -- starts here Dec 07,09
-	 print "<tr class='showborder_head'><th style='width=10px;'>&nbsp;</th>";
-	 print "<th style='width:140px;'>Type</th><th  style='width:150px;'>Date</th><th style='width:60px;'>User</th><th  style='width:180px;'>Details</th></tr>\n";
+	 print "<tr class='showborder_head'><th style='width=10px;'>&nbsp;</th><th style='width=10px;'>&nbsp;</th><th style='width=10px;'>&nbsp;</th>";
+	 print "<th style='width:140px;'>".htmlspecialchars( xl('Type'), ENT_NOQUOTES)."</th>" .
+               "<th  style='width:150px;'>".htmlspecialchars( xl('Date'), ENT_NOQUOTES)."</th>" .
+               "<th style='width:60px;'>".htmlspecialchars( xl('User'), ENT_NOQUOTES)."</th>" .
+               "<th  style='width:180px;'>".htmlspecialchars( xl('Details'), ENT_NOQUOTES)."</th></tr>\n";
 		// Print Heading .. to have better Understanding of the Listed Transactions   -- ends here
 
 	foreach ($result as $iter) {
@@ -36,13 +48,38 @@ function imdeleted() {
 		} else {
 			$date_string = date( "D F dS" ,strtotime($iter{"date"}));
 		}
-	    print "<tr height='25'>
-		<td><a href='add_transaction.php?transid=".$iter{"id"}.
-      "&title=".$iter{"title"}."&inmode=edit' onclick='top.restoreSession()' class='css_button_small'><span>".xl('Edit')."</span></a>";
-	  if (acl_check('admin', 'super'))  echo "<a href='../deleter.php?transaction=".$iter{"id"}."' onclick='top.restoreSession()' class='css_button_small'><span>".xl('Delete')."</span></a></td>";
-		echo "<td>" .$iter{"title"} ."&nbsp;</td><td>".$date_string .
-      "</td><td>(" . $iter{"user"}.
-      ")&nbsp;</td><td>" .  stripslashes($iter{"body"}) . "&nbsp;</td></tr>\n";
+		echo "<tr height='25'><td>";
+		if ($iter{"title"} == "Referral") {
+			//show the print button for referral forms only
+                        echo "<a href='print_referral.php?transid=".
+				htmlspecialchars( $iter{"id"}, ENT_NOQUOTES).
+                        	"' onclick='top.restoreSession()' class='css_button_small'><span>".
+                        	htmlspecialchars( xl('Print'), ENT_NOQUOTES)."</span></a>";
+		}
+		else {
+			echo "&nbsp;";
+		}
+		echo "</td><td>";
+		print "<a href='add_transaction.php?transid=".htmlspecialchars( $iter{"id"}, ENT_NOQUOTES).
+			"&title=".htmlspecialchars( $iter{"title"}, ENT_QUOTES).
+			"&inmode=edit' onclick='top.restoreSession()' class='css_button_small'><span>".
+			htmlspecialchars( xl('Edit'), ENT_NOQUOTES)."</span></a>";
+		echo "</td><td>";
+		if (acl_check('admin', 'super')) {
+			echo "<a href='../deleter.php?transaction=".
+				htmlspecialchars( $iter{"id"}, ENT_QUOTES).
+				"' onclick='top.restoreSession()' class='css_button_small'><span>".
+				htmlspecialchars( xl('Delete'), ENT_NOQUOTES)."</span></a>";
+		}
+		else {
+			echo "&nbsp;";
+		}
+		echo "</td>";
+		echo "<td><b>&nbsp;" .
+			generate_display_field(array('data_type'=>'1','list_id'=>'transactions'), $iter{"title"}) .
+			"</b></td><td>" . htmlspecialchars( $date_string, ENT_NOQUOTES) . "</td><td>(" .
+			htmlspecialchars( $iter{"user"}, ENT_NOQUOTES). ")&nbsp;</td><td>" .
+			htmlspecialchars( ($iter{"body"}), ENT_NOQUOTES) . "&nbsp;</td></tr>\n";
 		$notes_count++;
 
 	}
diff --git a/library/patient.inc b/library/patient.inc
index 0531e613794..efdde3487ba 100644
--- a/library/patient.inc
+++ b/library/patient.inc
@@ -90,8 +90,13 @@ function getProviders() {
 // may find additional uses.
 //
 function getFacility($facid=0) {
+
+  //create a sql binding array
+  $sqlBindArray = array();
+  
   if ($facid > 0) {
-    $query = "SELECT * FROM facility WHERE id = '$facid'";
+    $query = "SELECT * FROM facility WHERE id = ?";
+    array_push($sqlBindArray,$facid);
   }
   else if ($facid == 0) {
     $query = "SELECT * FROM facility ORDER BY " .
@@ -99,10 +104,11 @@ function getFacility($facid=0) {
   }
   else {
     $query = "SELECT facility.* FROM users, facility WHERE " .
-      "users.id = '" . $_SESSION['authUserID'] . "' AND " .
+      "users.id = ? AND " .
       "facility.id = users.facility_id";
+    array_push($sqlBindArray,$_SESSION['authUserID']);
   }
-  return sqlQuery($query);
+  return sqlQuery($query,$sqlBindArray);
 }
 
 // Generate a report title including report name and facility name, address
@@ -116,20 +122,20 @@ function genFacilityTitle($repname='', $facid=0) {
   $s .= "  <td class='ftitlecell2'>\n";
   $r = getFacility($facid);
   if (!empty($r)) {
-    $s .= "<b>" . $r['name'] . "</b>\n";
-    if ($r['street']) $s .= "<br />" . $r['street'] . "\n";
+    $s .= "<b>" . htmlspecialchars( $r['name'], ENT_NOQUOTES) . "</b>\n";
+    if ($r['street']) $s .= "<br />" . htmlspecialchars( $r['street'], ENT_NOQUOTES) . "\n";
     if ($r['city'] || $r['state'] || $r['postal_code']) {
       $s .= "<br />";
-      if ($r['city']) $s .= $r['city'];
+      if ($r['city']) $s .= htmlspecialchars( $r['city'], ENT_NOQUOTES);
       if ($r['state']) {
         if ($r['city']) $s .= ", \n";
-        $s .= $r['state'];
+        $s .= htmlspecialchars( $r['state'], ENT_NOQUOTES);
       }
-      if ($r['postal_code']) $s .= " " . $r['postal_code'];
+      if ($r['postal_code']) $s .= " " . htmlspecialchars( $r['postal_code'], ENT_NOQUOTES);
       $s .= "\n";
     }
-    if ($r['country_code']) $s .= "<br />" . $r['country_code'] . "\n";
-    if (preg_match('/[1-9]/', $r['phone'])) $s .= "<br />" . $r['phone'] . "\n";
+    if ($r['country_code']) $s .= "<br />" . htmlspecialchars( $r['country_code'], ENT_NOQUOTES) . "\n";
+    if (preg_match('/[1-9]/', $r['phone'])) $s .= "<br />" . htmlspecialchars( $r['phone'], ENT_NOQUOTES) . "\n";
   }
   $s .= "  </td>\n";
   $s .= " </tr>\n";
diff --git a/library/report.inc b/library/report.inc
index 8c818f32c8b..98712b3fe33 100644
--- a/library/report.inc
+++ b/library/report.inc
@@ -7,6 +7,7 @@
 require_once("{$GLOBALS['srcdir']}/sql.inc");
 require_once("{$GLOBALS['srcdir']}/acl.inc");
 require_once("{$GLOBALS['srcdir']}/formatting.inc.php");
+require_once("{$GLOBALS['srcdir']}/formdata.inc.php");
 
 $patient_data_array = array(title => "Title: ",
 fname => "First Name: ",
@@ -213,9 +214,14 @@ function printPatientNotes($pid) {
 }
 
 function printPatientTransactions($pid) {
-	$res = sqlStatement("select * from transactions where pid='$pid' order by date");
+	$res = sqlStatement("select * from transactions where pid=? order by date", array($pid) );
 	while($result = sqlFetchArray($res)) {
-		print "<span class=bold>" . oeFormatSDFT(strtotime($result{"date"})) . ":</span><span class=text>(".$result{"title"}.") " . stripslashes($result{"body"}) . "</span><br>\n";
+		print "<span class=bold>" .
+		htmlspecialchars( oeFormatSDFT(strtotime($result{"date"})), ENT_NOQUOTES) .
+		":</span><span class=text>(" .
+		generate_display_field(array('data_type'=>'1','list_id'=>'transactions'), $result{"title"}) .
+		") " . htmlspecialchars( $result{"body"}, ENT_NOQUOTES) .
+		"</span><br>\n";
 	}
 }
 
diff --git a/library/transactions.inc b/library/transactions.inc
index 16ab996da51..afc29678bdc 100644
--- a/library/transactions.inc
+++ b/library/transactions.inc
@@ -3,14 +3,14 @@ require_once("{$GLOBALS['srcdir']}/sql.inc");
 
 function getTransById ($id, $cols = "*")
 {
-  return sqlQuery("select $cols from transactions where id='$id' " .
-    "order by date DESC limit 0,1");
+  return sqlQuery("select $cols from transactions where id=? " .
+    "order by date DESC limit 0,1", array($id) );
 }
 
 function getTransByPid ($pid, $cols = "*")
 {
-  $res = sqlStatement("select $cols from transactions where pid='$pid' " .
-    "order by date DESC");
+  $res = sqlStatement("select $cols from transactions where pid=? " .
+    "order by date DESC", array($pid) );
   for ($iter = 0; $row = sqlFetchArray($res); $iter++)
     $all[$iter] = $row;
   return $all;
diff --git a/sql/3_2_0-to-4_0_0_upgrade.sql b/sql/3_2_0-to-4_0_0_upgrade.sql
index 434864c61e8..1942ee79338 100644
--- a/sql/3_2_0-to-4_0_0_upgrade.sql
+++ b/sql/3_2_0-to-4_0_0_upgrade.sql
@@ -186,6 +186,15 @@ INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES (
 ALTER TABLE openemr_postcalendar_events CHANGE pc_apptstatus pc_apptstatus varchar(15) NOT NULL DEFAULT '-';
 #EndIf
 
+#IfNotRow2D list_options list_id lists option_id transactions
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('lists', 'transactions', 'Transactions', 20, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Referral', 'Referral', 10, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Patient Request', 'Patient Request', 20, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Physician Request', 'Physician Request', 30, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Legal', 'Legal', 40, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Billing', 'Billing', 50, 0);
+#EndIf
+
 #IfNotRow2D layout_options form_id DEM field_id referral_source
 INSERT INTO `layout_options` VALUES ('DEM', 'referral_source', '5Stats', 'Referral Source',10, 26, 1, 0, 0, 'refsource', 1, 1, '', '', 'How did they hear about us');
 #EndIf
diff --git a/sql/database.sql b/sql/database.sql
index f6a8ad92a0a..7feaa7b3b87 100644
--- a/sql/database.sql
+++ b/sql/database.sql
@@ -2232,6 +2232,13 @@ INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES (
 INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('eligibility', 'eligible', 'Eligible', 10, 0);
 INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('eligibility', 'ineligible', 'Ineligible', 20, 0);
 
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('lists', 'transactions', 'Transactions', 20, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Referral', 'Referral', 10, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Patient Request', 'Patient Request', 20, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Physician Request', 'Physician Request', 30, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Legal', 'Legal', 40, 0);
+INSERT INTO list_options ( list_id, option_id, title, seq, is_default ) VALUES ('transactions', 'Billing', 'Billing', 50, 0);
+
 -- --------------------------------------------------------
 
 --