Security fixes 22

interface/billing/sl_eob_patient_note.php

@@ -1,12 +1,25 @@
-<?php 
- // Copyright (C) 2005 Rod Roark <[email protected]>
- //
- // This program is free software; you can redistribute it and/or
- // modify it under the terms of the GNU General Public License
- // as published by the Free Software Foundation; either version 2
- // of the License, or (at your option) any later version.
-
- // This allows entry and editing of a "billing note" for the patient.
+<?php
+/**
+ * This allos entry and editing of a "billing note" for the patient.
+ * 
+ * Copyright (C) 2005 Rod Roark <[email protected]>
+ *
+ * LICENSE: This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http:https://opensource.org/licenses/gpl-license.php>;.
+ *
+ * @package OpenEMR
+ * @author Rod Roark <[email protected]>
+ * @author Roberto Vasquez <[email protected]>
+ * @link http:https://www.open-emr.org
+ */
 
  include_once("../globals.php");
  include_once("../../library/patient.inc");
@@ -30,9 +43,9 @@
  $thename = $thevalue ? "Billing" : "";
 
  sqlStatement("UPDATE patient_data SET " .
- "genericname2 = '$thename', " .
- "genericval2 = '$thevalue' " .
- "WHERE pid = '$patient_id'");
+ "genericname2 = ?, " .
+ "genericval2 = ? " .
+ "WHERE pid = ? ", array($thename, $thevalue, $patient_id));
 
  echo "<script language='JavaScript'>\n";
  if ($info_msg) echo " alert('$info_msg');\n";

interface/patient_file/deleter.php

@@ -5,14 +5,22 @@
  * Called from many different pages.
  *
  * Copyright (C) 2005-2013 Rod Roark <[email protected]>
+ * Copyright (C) 2015 Roberto Vasquez <[email protected]>
  *
- * This program is free software; you can redistribute it and/or
+ * LICENSE: This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
  * as published by the Free Software Foundation; either version 2
  * of the License, or (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http:https://opensource.org/licenses/gpl-license.php>;.
  *
  * @package OpenEMR
  * @author Rod Roark <[email protected]>
+ * @author Roberto Vasquez <[email protected]>
  * @link http:https://www.open-emr.org
  */
 
@@ -313,7 +321,7 @@ function popup_close() {
  list($patient_id, $encounter_id) = explode(".", $billing);
  if ($GLOBALS['oer_config']['ws_accounting']['enabled'] === 2) {
  sqlStatement("DELETE FROM ar_activity WHERE " .
- "pid = '$patient_id' AND encounter = '$encounter_id'");
+ "pid = ? AND encounter = ? ", array($patient_id, $encounter_id) );
  sqlStatement("DELETE ar_session FROM ar_session LEFT JOIN " .
  "ar_activity ON ar_session.session_id = ar_activity.session_id " .
  "WHERE ar_activity.session_id IS NULL");