diff --git a/contrib/forms/body_composition/new.php b/contrib/forms/body_composition/new.php
index a6413188829..90e94122ed5 100644
--- a/contrib/forms/body_composition/new.php
+++ b/contrib/forms/body_composition/new.php
@@ -32,7 +32,7 @@
// encode a string from a form field for database writing.
function form2db($fldval) {
$fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
return $fldval;
}
diff --git a/contrib/forms/body_composition/view.php b/contrib/forms/body_composition/view.php
index a6413188829..90e94122ed5 100644
--- a/contrib/forms/body_composition/view.php
+++ b/contrib/forms/body_composition/view.php
@@ -32,7 +32,7 @@
// encode a string from a form field for database writing.
function form2db($fldval) {
$fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
return $fldval;
}
diff --git a/contrib/forms/evaluation/C_FormEvaluation.class.php b/contrib/forms/evaluation/C_FormEvaluation.class.php
index 8c970f49958..306dc3f1aef 100644
--- a/contrib/forms/evaluation/C_FormEvaluation.class.php
+++ b/contrib/forms/evaluation/C_FormEvaluation.class.php
@@ -52,7 +52,7 @@ function default_action_process() {
addForm($GLOBALS['encounter'], "Evaluation Form", $this->evaluation->id, "evaluation", $GLOBALS['pid'], $_SESSION['userauthorized']);
if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
$results = sqlQ($sql);
diff --git a/contrib/forms/evaluation/FormEvaluation.class.php b/contrib/forms/evaluation/FormEvaluation.class.php
index cdfccd4463d..e902d2413e4 100644
--- a/contrib/forms/evaluation/FormEvaluation.class.php
+++ b/contrib/forms/evaluation/FormEvaluation.class.php
@@ -60,7 +60,7 @@ function FormEvaluation($id= "", $_prefix = "") {
function populate() {
parent::populate();
- $sql = "SELECT name from form_evaluation_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_evaluation_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -245,7 +245,7 @@ function persist() {
sqlQuery($sql);
foreach ($this->checks as $check) {
if (!empty($check)) {
- $sql = "INSERT INTO form_evaluation_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_evaluation_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
sqlQuery($sql);
//echo "$sql
";
}
diff --git a/contrib/forms/evaluation/report.php b/contrib/forms/evaluation/report.php
index 8a5d5316aa8..760e2395fc9 100644
--- a/contrib/forms/evaluation/report.php
+++ b/contrib/forms/evaluation/report.php
@@ -6,7 +6,7 @@
function evaluation_report( $pid, $encounter, $cols, $id) {
$count = 0;
$data = formFetch("form_evaluation", $id);
-$sql = "SELECT name from form_evaluation_checks where foreign_id = '" . mysql_real_escape_string($id) . "'";
+$sql = "SELECT name from form_evaluation_checks where foreign_id = '" . add_escape_custom($id) . "'";
$results = sqlQ($sql);
$data2 = array();
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
diff --git a/contrib/forms/hp_tje_primary/FormHpTjePrimary.class.php b/contrib/forms/hp_tje_primary/FormHpTjePrimary.class.php
index 231ded32cd7..e0bcdfdcc27 100644
--- a/contrib/forms/hp_tje_primary/FormHpTjePrimary.class.php
+++ b/contrib/forms/hp_tje_primary/FormHpTjePrimary.class.php
@@ -76,7 +76,7 @@ function FormHpTjePrimary($id= "", $_prefix = "") {
function populate() {
parent::populate();
- $sql = "SELECT name from form_hp_tje_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_hp_tje_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -84,14 +84,14 @@ function populate() {
}
- $sql = "SELECT doctor,specialty,tx_rendered,effectiveness,date from form_hp_tje_history where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT doctor,specialty,tx_rendered,effectiveness,date from form_hp_tje_history where foreign_id = '" . add_escape_custom($this->id) . "'";
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
$this->history[] = $row;
}
- $sql = "SELECT nature_of_accident,injuries,date from form_hp_tje_previous_accidents where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT nature_of_accident,injuries,date from form_hp_tje_previous_accidents where foreign_id = '" . add_escape_custom($this->id) . "'";
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -318,7 +318,7 @@ function persist() {
sqlQuery($sql);
foreach ($this->checks as $check) {
if (!empty($check)) {
- $sql = "INSERT INTO form_hp_tje_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_hp_tje_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
sqlQuery($sql);
//echo "$sql
";
}
@@ -329,12 +329,12 @@ function persist() {
sqlQuery($sql);
foreach ($this->history as $history) {
if (!empty($history)) {
- $sql = "INSERT INTO form_hp_tje_history set foreign_id='" . mysql_real_escape_string($this->id) ."'"
- . ", doctor = '" . mysql_real_escape_string($history['doctor']) . "'"
- . ", specialty = '" . mysql_real_escape_string($history['specialty']) . "'"
- . ", tx_rendered = '" . mysql_real_escape_string($history['tx_rendered']) . "'"
- . ", effectiveness = '" . mysql_real_escape_string($history['effectiveness']) . "'"
- . ", date = '" . mysql_real_escape_string($history['date']) . "'";
+ $sql = "INSERT INTO form_hp_tje_history set foreign_id='" . add_escape_custom($this->id) ."'"
+ . ", doctor = '" . add_escape_custom($history['doctor']) . "'"
+ . ", specialty = '" . add_escape_custom($history['specialty']) . "'"
+ . ", tx_rendered = '" . add_escape_custom($history['tx_rendered']) . "'"
+ . ", effectiveness = '" . add_escape_custom($history['effectiveness']) . "'"
+ . ", date = '" . add_escape_custom($history['date']) . "'";
sqlQuery($sql);
//echo "$sql
";
}
@@ -347,10 +347,10 @@ function persist() {
foreach ($this->previous_accidents as $pa) {
if (!empty($pa)) {
- $sql = "INSERT INTO form_hp_tje_previous_accidents set foreign_id='" . mysql_real_escape_string($this->id) .
- "', nature_of_accident = '" . mysql_real_escape_string($pa['nature_of_accident']) . "'"
- . ", injuries = '" . mysql_real_escape_string($pa['injuries']) . "'"
- . ", date = '" . mysql_real_escape_string($pa['date']) . "'";
+ $sql = "INSERT INTO form_hp_tje_previous_accidents set foreign_id='" . add_escape_custom($this->id) .
+ "', nature_of_accident = '" . add_escape_custom($pa['nature_of_accident']) . "'"
+ . ", injuries = '" . add_escape_custom($pa['injuries']) . "'"
+ . ", date = '" . add_escape_custom($pa['date']) . "'";
sqlQuery($sql);
//echo "$sql
";
diff --git a/contrib/forms/prosthesis/C_FormProsthesis.class.php b/contrib/forms/prosthesis/C_FormProsthesis.class.php
index 0dbe33829b4..dbe6b69cb62 100644
--- a/contrib/forms/prosthesis/C_FormProsthesis.class.php
+++ b/contrib/forms/prosthesis/C_FormProsthesis.class.php
@@ -51,7 +51,7 @@ function default_action_process() {
addForm($GLOBALS['encounter'], "Prosthesis & Orthotics Form", $this->prosthesis->id, "prosthesis", $GLOBALS['pid'], $_SESSION['userauthorized']);
if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
$results = sqlQ($sql);
diff --git a/contrib/forms/psychiatrySet/brief_aan_verwijzer/autosave.php b/contrib/forms/psychiatrySet/brief_aan_verwijzer/autosave.php
index 3af0aa2f126..faf0b37a7d4 100644
--- a/contrib/forms/psychiatrySet/brief_aan_verwijzer/autosave.php
+++ b/contrib/forms/psychiatrySet/brief_aan_verwijzer/autosave.php
@@ -15,7 +15,7 @@
// escape the strings
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/psychiatrySet/brief_aan_verwijzer/save.php b/contrib/forms/psychiatrySet/brief_aan_verwijzer/save.php
index e4c4bfbd396..19f97ff3148 100644
--- a/contrib/forms/psychiatrySet/brief_aan_verwijzer/save.php
+++ b/contrib/forms/psychiatrySet/brief_aan_verwijzer/save.php
@@ -12,7 +12,7 @@
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/psychiatrySet/intakeverslag/autosave.php b/contrib/forms/psychiatrySet/intakeverslag/autosave.php
index d3c1efc0df0..e4d5a3a9425 100644
--- a/contrib/forms/psychiatrySet/intakeverslag/autosave.php
+++ b/contrib/forms/psychiatrySet/intakeverslag/autosave.php
@@ -17,7 +17,7 @@
// escape the strings
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/psychiatrySet/intakeverslag/save.php b/contrib/forms/psychiatrySet/intakeverslag/save.php
index 0949ccd5d83..ee33181f57c 100644
--- a/contrib/forms/psychiatrySet/intakeverslag/save.php
+++ b/contrib/forms/psychiatrySet/intakeverslag/save.php
@@ -12,7 +12,7 @@
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/autosave.php b/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/autosave.php
index 25f2d041a11..7c90fa11b4f 100644
--- a/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/autosave.php
+++ b/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/autosave.php
@@ -15,7 +15,7 @@
// escape the strings
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/save.php b/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/save.php
index ebe72829b03..86c6ea5320d 100644
--- a/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/save.php
+++ b/contrib/forms/psychiatrySet/psychiatrisch_onderzoek/save.php
@@ -12,7 +12,7 @@
foreach ($_POST as $k => $var)
{
- $_POST[$k] = mysql_real_escape_string($var);
+ $_POST[$k] = add_escape_custom($var);
// echo "$var\n";
}
diff --git a/contrib/forms/review_of_systems/C_FormReviewOfSystems.class.php b/contrib/forms/review_of_systems/C_FormReviewOfSystems.class.php
index 6c90d40c750..b4d53c12401 100644
--- a/contrib/forms/review_of_systems/C_FormReviewOfSystems.class.php
+++ b/contrib/forms/review_of_systems/C_FormReviewOfSystems.class.php
@@ -51,7 +51,7 @@ function default_action_process() {
addForm($GLOBALS['encounter'], "Review Of Systems", $this->review_of_systems->id, "review_of_systems", $GLOBALS['pid'], $_SESSION['userauthorized']);
if (!empty($_POST['cpt_code'])) {
- $sql = "select * from codes where code ='" . mysql_real_escape_string($_POST['cpt_code']) . "' order by id";
+ $sql = "select * from codes where code ='" . add_escape_custom($_POST['cpt_code']) . "' order by id";
$results = sqlQ($sql);
diff --git a/contrib/forms/review_of_systems/FormReviewOfSystems.class.php b/contrib/forms/review_of_systems/FormReviewOfSystems.class.php
index 18206bd7785..9821caa58e3 100644
--- a/contrib/forms/review_of_systems/FormReviewOfSystems.class.php
+++ b/contrib/forms/review_of_systems/FormReviewOfSystems.class.php
@@ -75,7 +75,7 @@ function toString($html = false) {
function populate() {
parent::populate();
- $sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . mysql_real_escape_string($this->id) . "'";
+ $sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . add_escape_custom($this->id) . "'";
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
@@ -91,7 +91,7 @@ function persist() {
sqlQuery($sql);
foreach ($this->checks as $check) {
if (!empty($check)) {
- $sql = "INSERT INTO form_review_of_systems_checks set foreign_id='" . mysql_real_escape_string($this->id) . "', name = '" . mysql_real_escape_string($check) . "'";
+ $sql = "INSERT INTO form_review_of_systems_checks set foreign_id='" . add_escape_custom($this->id) . "', name = '" . add_escape_custom($check) . "'";
sqlQuery($sql);
//echo "$sql
";
}
diff --git a/contrib/forms/review_of_systems/report.php b/contrib/forms/review_of_systems/report.php
index 5e608fcaf29..4d7684306a2 100644
--- a/contrib/forms/review_of_systems/report.php
+++ b/contrib/forms/review_of_systems/report.php
@@ -5,7 +5,7 @@
function review_of_systems_report( $pid, $encounter, $cols, $id) {
$count = 0;
$data = formFetch("form_review_of_systems", $id);
-$sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . mysql_real_escape_string($id) . "'";
+$sql = "SELECT name from form_review_of_systems_checks where foreign_id = '" . add_escape_custom($id) . "'";
$results = sqlQ($sql);
$data2 = array();
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
diff --git a/contrib/util/de_identification_upgrade.php b/contrib/util/de_identification_upgrade.php
index 5a95fdd42d1..f4bf6cbbb47 100644
--- a/contrib/util/de_identification_upgrade.php
+++ b/contrib/util/de_identification_upgrade.php
@@ -126,11 +126,14 @@ function upgradeFromSqlFile_de($filename) {
if (!empty($_POST['form_submit'])) {
upgradeFromSqlFile_de("database_de_identification.sql");
- // grant file privilege to user
- if ($sqlconf["host"] == "localhost")
- $dbh = mysql_connect($sqlconf['host'],$_POST['root_user_name'],$_POST['root_user_pass'],$sqlconf['host']) or die(mysql_error());
- else
- $dbh = mysql_connect($sqlconf['host'].":".$sqlconf['port'],$_POST['root_user_name'],$_POST['root_user_pass']) or die(mysql_error());
+// grant file privilege to user
+// if ($sqlconf["host"] == "localhost")
+// $dbh = mysql_connect($sqlconf['host'],$_POST['root_user_name'],$_POST['root_user_pass'],$sqlconf['host']) or die(mysql_error());
+// else
+// $dbh = mysql_connect($sqlconf['host'].":".$sqlconf['port'],$_POST['root_user_name'],$_POST['root_user_pass']) or die(mysql_error());
+
+ $dbh = $GLOBALS['dbh'];
+
if ($dbh == FALSE) {
echo "\n";
echo "".mysql_error()." (#".mysql_errno().")\n";
diff --git a/contrib/util/import_mi2xml.php b/contrib/util/import_mi2xml.php
index 99cd543dd87..df75cbf7378 100644
--- a/contrib/util/import_mi2xml.php
+++ b/contrib/util/import_mi2xml.php
@@ -739,7 +739,7 @@ function get_patientid( $medics ) {
//
function form2db($fldval) {
$fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = formDataCore($fldval);
return $fldval;
}
diff --git a/controllers/C_PatientFinder.class.php b/controllers/C_PatientFinder.class.php
index a185465b658..8eb11b0e7a6 100644
--- a/controllers/C_PatientFinder.class.php
+++ b/controllers/C_PatientFinder.class.php
@@ -35,9 +35,9 @@ function find_action($form_id, $form_name,$pid) {
$isPid = false;
//fix any magic quotes meddling
- if (get_magic_quotes_gpc()) {$form_id = stripslashes($form_id);}
- if (get_magic_quotes_gpc()) {$form_name = stripslashes($form_name);}
- if (get_magic_quotes_gpc()) {$pid = stripslashes($pid);}
+ $form_id = strip_escape_custom($form_id);
+ $form_name = strip_escape_custom($form_name);
+ $pid = strip_escape_custom($pid);
//prevent javascript injection, whitespace and semi-colons are the worry
$form_id = preg_replace("/[^A-Za-z0-9\[\]\_\']/iS","",urldecode($form_id));
@@ -100,7 +100,7 @@ function find_action_process() {
* @-param string $search_string parsed for last name
*/
function search_by_lName($sql, $search_string) {
- $lName = mysql_real_escape_string($search_string);
+ $lName = add_escape_custom($search_string);
$sql .= " WHERE lname LIKE '$lName%' ORDER BY lname, fname";
//print "SQL is $sql \n";
$result_array = $this->_db->GetAll($sql);
@@ -116,7 +116,7 @@ function search_by_lName($sql, $search_string) {
*/
function search_by_fName($sql, $search_string) {
$name_array = split(",", $search_string);
- $fName = mysql_real_escape_string( trim($name_array[1]) );
+ $fName = add_escape_custom( trim($name_array[1]) );
$sql .= " WHERE fname LIKE '$fName%' ORDER BY lname, fname";
$result_array = $this->_db->GetAll($sql);
return $result_array;
@@ -130,8 +130,8 @@ function search_by_fName($sql, $search_string) {
*/
function search_by_FullName($sql, $search_string) {
$name_array = split(",", $search_string);
- $lName = mysql_real_escape_string($name_array[0]);
- $fName = mysql_real_escape_string( trim($name_array[1]) );
+ $lName = add_escape_custom($name_array[0]);
+ $fName = add_escape_custom( trim($name_array[1]) );
$sql .= " WHERE fname LIKE '%$fName%' AND lname LIKE '$lName%' ORDER BY lname, fname";
//print "SQL is $sql \n";
$result_array = $this->_db->GetAll($sql);
diff --git a/controllers/C_Prescription.class.php b/controllers/C_Prescription.class.php
index 72f3b0f6cc2..4ba21b89edb 100644
--- a/controllers/C_Prescription.class.php
+++ b/controllers/C_Prescription.class.php
@@ -249,7 +249,7 @@ function multiprint_header(& $pdf, $p) {
$pdf->ezImage($GLOBALS['oer_config']['prescriptions']['logo'],'','50','','center','');
$pdf->ezColumnsStart(array('num'=>2, 'gap'=>10));
$res = sqlQuery("SELECT concat('',f.name,'\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" .
- mysql_real_escape_string($p->provider->id) . "'");
+ add_escape_custom($p->provider->id) . "'");
$pdf->ezText($res['addr'],12);
$my_y = $pdf->y;
$pdf->ezNewPage();
@@ -295,7 +295,7 @@ function multiprint_header(& $pdf, $p) {
$pdf->line($pdf->ez['leftMargin'],$pdf->y,$pdf->ez['pageWidth']-$pdf->ez['rightMargin'],$pdf->y);
$pdf->ezText('' . xl('Patient Name & Address') . '',6);
$pdf->ezText($p->patient->get_name_display(),10);
- $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". mysql_real_escape_string ($p->patient->id));
+ $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". add_escape_custom($p->patient->id));
$pdf->ezText($res['addr']);
$my_y = $pdf->y;
$pdf->ezNewPage();
@@ -328,7 +328,7 @@ function multiprintcss_header($p) {
echo ("\n");
echo ("
\n");
echo ("\n");
- $res = sqlQuery("SELECT concat('',f.name,'\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . mysql_real_escape_string($p->provider->id) . "'");
+ $res = sqlQuery("SELECT concat('',f.name,'\n',f.street,'\n',f.city,', ',f.state,' ',f.postal_code,'\nTel:',f.phone,if(f.fax != '',concat('\nFax: ',f.fax),'')) addr FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . add_escape_custom($p->provider->id) . "'");
$patterns = array ('/\n/','/Tel:/','/Fax:/');
$replace = array ('
', xl('Tel').':', xl('Fax').':');
$res = preg_replace($patterns, $replace, $res);
@@ -367,7 +367,7 @@ function multiprintcss_header($p) {
echo (" | \n");
echo ('' . xl('Patient Name & Address') . ''. '
');
echo ($p->patient->get_name_display() . '
');
- $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". mysql_real_escape_string ($p->patient->id));
+ $res = sqlQuery("SELECT concat(street,'\n',city,', ',state,' ',postal_code,'\n',if(phone_home!='',phone_home,if(phone_cell!='',phone_cell,if(phone_biz!='',phone_biz,'')))) addr from patient_data where pid =". add_escape_custom($p->patient->id));
$patterns = array ('/\n/');
$replace = array ('
');
$res = preg_replace($patterns, $replace, $res);
diff --git a/interface/fax/fax_dispatch.php b/interface/fax/fax_dispatch.php
index 901d79517e7..7d75e092374 100644
--- a/interface/fax/fax_dispatch.php
+++ b/interface/fax/fax_dispatch.php
@@ -38,7 +38,7 @@
$info_msg = "";
// This function builds an array of document categories recursively.
-// Kittens are the children of cats, you know. :-)
+// Kittens are the children of cats, you know. :-)getKittens
//
function getKittens($catid, $catstring, &$categories) {
$cres = sqlStatement("SELECT id, name FROM categories " .
@@ -149,7 +149,7 @@ function mergeTiffs() {
}
$note = "New scanned document $newid: $note";
$form_note_message = trim($_POST['form_note_message']);
- if (get_magic_quotes_gpc()) $form_note_message = stripslashes($form_note_message);
+ $form_note_message = strip_escape_custom($form_note_message);
if ($form_note_message) $note .= "\n" . $form_note_message;
// addPnote() will do its own addslashes().
$noteid = addPnote($_POST['form_pid'], $note, $userauthorized, '1',
@@ -208,7 +208,7 @@ function mergeTiffs() {
if ($_POST['form_cb_note'] && !$info_msg) {
$note = "New scanned encounter note for visit on " . substr($erow['date'], 0, 10);
$form_note_message = trim($_POST['form_note_message']);
- if (get_magic_quotes_gpc()) $form_note_message = stripslashes($form_note_message);
+ $form_note_message = strip_escape_custom($form_note_message);
if ($form_note_message) $note .= "\n" . $form_note_message;
// addPnote() will do its own addslashes().
addPnote($patient_id, $note, $userauthorized, '1',
@@ -227,11 +227,9 @@ function mergeTiffs() {
$form_message = trim($_POST['form_message']);
$form_finemode = $_POST['form_finemode'] ? '-m' : '-l';
- if (get_magic_quotes_gpc()) {
- $form_from = stripslashes($form_from);
- $form_to = stripslashes($form_to);
- $form_message = stripslashes($form_message);
- }
+ $form_from = strip_escape_custom($form_from);
+ $form_to = strip_escape_custom($form_to);
+ $form_message = strip_escape_custom($form_message);
// Generate a cover page using enscript. This can be a cool thing
// to do, as enscript is very powerful.
diff --git a/interface/forms/ankleinjury/save.php b/interface/forms/ankleinjury/save.php
index bc8508a2c2d..65a9f8b0875 100755
--- a/interface/forms/ankleinjury/save.php
+++ b/interface/forms/ankleinjury/save.php
@@ -4,7 +4,7 @@
include_once("$srcdir/api.inc");
include_once("$srcdir/forms.inc");
foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
//echo "$var\n";
}
if ($encounter == "")
diff --git a/interface/forms/bronchitis/save.php b/interface/forms/bronchitis/save.php
index d33dc782b8a..aa4bc23d83b 100644
--- a/interface/forms/bronchitis/save.php
+++ b/interface/forms/bronchitis/save.php
@@ -4,7 +4,7 @@
include_once("$srcdir/api.inc");
include_once("$srcdir/forms.inc");
foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
echo "$var\n";
}
if ($encounter == "")
diff --git a/interface/forms/reviewofs/save.php b/interface/forms/reviewofs/save.php
index 433525b5a57..46878ac5def 100644
--- a/interface/forms/reviewofs/save.php
+++ b/interface/forms/reviewofs/save.php
@@ -24,7 +24,7 @@
include_once("$srcdir/api.inc");
include_once("$srcdir/forms.inc");
foreach ($_POST as $k => $var) {
-$_POST[$k] = mysql_escape_string($var);
+$_POST[$k] = add_escape_custom($var);
echo attr($var);
echo "\n";
}
diff --git a/interface/main/calendar/add_edit_event.php b/interface/main/calendar/add_edit_event.php
index d4821508897..edc41046758 100644
--- a/interface/main/calendar/add_edit_event.php
+++ b/interface/main/calendar/add_edit_event.php
@@ -38,7 +38,6 @@
require_once($GLOBALS['srcdir'].'/patient.inc');
require_once($GLOBALS['srcdir'].'/forms.inc');
require_once($GLOBALS['srcdir'].'/calendar.inc');
-require_once($GLOBALS['srcdir'].'/formdata.inc.php');
require_once($GLOBALS['srcdir'].'/options.inc.php');
require_once($GLOBALS['srcdir'].'/encounter_events.inc.php');
require_once($GLOBALS['srcdir'].'/acl.inc');
diff --git a/interface/main/calendar/find_patient.php b/interface/main/calendar/find_patient.php
index 5aca22c466c..05eebad0fb1 100644
--- a/interface/main/calendar/find_patient.php
+++ b/interface/main/calendar/find_patient.php
@@ -9,6 +9,7 @@
//
include_once("../../globals.php");
+require_once($GLOBALS['srcdir'].'/formdata.inc.php');
include_once("$srcdir/calendar.inc");
include_once("$srcdir/patient.inc");
diff --git a/interface/main/calendar/findfirstapp.php b/interface/main/calendar/findfirstapp.php
index 606bebb61e3..3c71b912fff 100644
--- a/interface/main/calendar/findfirstapp.php
+++ b/interface/main/calendar/findfirstapp.php
@@ -1,5 +1,6 @@
diff --git a/interface/main/calendar/includes/pnAPI.php b/interface/main/calendar/includes/pnAPI.php
index bc1282a08f9..44e9ecf0c00 100644
--- a/interface/main/calendar/includes/pnAPI.php
+++ b/interface/main/calendar/includes/pnAPI.php
@@ -579,7 +579,7 @@ function pnVarCleanFromInput()
}
// Clean var
- if (get_magic_quotes_gpc()) {
+ if (check_magic_quotes()) {
pnStripslashes($ourvar);
}
if (!pnSecAuthAction(0, '::', '::', ACCESS_ADMIN)) {
diff --git a/interface/main/calendar/modules/PostCalendar/pnuser.php b/interface/main/calendar/modules/PostCalendar/pnuser.php
index dfaf318ad8d..f0ce7e135b2 100644
--- a/interface/main/calendar/modules/PostCalendar/pnuser.php
+++ b/interface/main/calendar/modules/PostCalendar/pnuser.php
@@ -685,7 +685,7 @@ function postcalendar_user_submit($args)
$old_dur_hours = $eventdata['event_dur_hours'];
$old_dur_min = $eventdata['event_dur_minutes'];
$old_duration = $eventdata['event_duration'];
- $eventdata['event_subject'] = mysql_real_escape_string($ekey);
+ $eventdata['event_subject'] = add_escape_custom($ekey);
$eventdata['event_status'] = _EVENT_TEMPORARY;
if (!pnModAPIFunc(__POSTCALENDAR__,'user','submitEvent',$eventdata)) {
diff --git a/interface/modules/zend_modules/vendor/dompdf/dompdf/www/demo.php b/interface/modules/zend_modules/vendor/dompdf/dompdf/www/demo.php
index 6d07acc29e5..02030318972 100644
--- a/interface/modules/zend_modules/vendor/dompdf/dompdf/www/demo.php
+++ b/interface/modules/zend_modules/vendor/dompdf/dompdf/www/demo.php
@@ -81,4 +81,4 @@
-
\ No newline at end of file
+
diff --git a/interface/patient_file/encounter/diagnosis.php b/interface/patient_file/encounter/diagnosis.php
index 0aeefe04196..0a846f527d6 100644
--- a/interface/patient_file/encounter/diagnosis.php
+++ b/interface/patient_file/encounter/diagnosis.php
@@ -79,7 +79,7 @@
foreach ($diags as $diag) {
$justify_string .= $diag . ":";
}
- $sql[] = "UPDATE billing set justify = concat(justify,'" . mysql_real_escape_string($justify_string) ."') where encounter = '" . mysql_real_escape_string($_POST['encounter_id']) . "' and pid = '" . mysql_real_escape_string($_POST['patient_id']) . "' and code = '" . mysql_real_escape_string($proc) . "'";
+ $sql[] = "UPDATE billing set justify = concat(justify,'" . add_escape_custom($justify_string) ."') where encounter = '" . add_escape_custom($_POST['encounter_id']) . "' and pid = '" . add_escape_custom($_POST['patient_id']) . "' and code = '" . add_escape_custom($proc) . "'";
}
}
@@ -99,9 +99,9 @@
trim($ndc['ndcqty']);
}
sqlStatement("UPDATE billing SET ndc_info = '$ndc_info' WHERE " .
- "encounter = '" . mysql_real_escape_string($_POST['encounter_id']) . "' AND " .
- "pid = '" . mysql_real_escape_string($_POST['patient_id']) . "' AND " .
- "code = '" . mysql_real_escape_string($ndc['code']) . "'");
+ "encounter = '" . add_escape_custom($_POST['encounter_id']) . "' AND " .
+ "pid = '" . add_escape_custom($_POST['patient_id']) . "' AND " .
+ "code = '" . add_escape_custom($ndc['code']) . "'");
}
}
diff --git a/interface/patient_file/encounter/forms.php b/interface/patient_file/encounter/forms.php
index e0f56c830e5..9d0b63a1e31 100644
--- a/interface/patient_file/encounter/forms.php
+++ b/interface/patient_file/encounter/forms.php
@@ -7,6 +7,7 @@
require_once("../../globals.php");
require_once("$srcdir/forms.inc");
+require_once("$srcdir/formdata.inc.php");
require_once("$srcdir/calendar.inc");
require_once("$srcdir/acl.inc");
require_once("$srcdir/formatting.inc.php");
diff --git a/interface/patient_file/summary/summary_title.php b/interface/patient_file/summary/summary_title.php
index 79b67630b09..1c8d164d943 100644
--- a/interface/patient_file/summary/summary_title.php
+++ b/interface/patient_file/summary/summary_title.php
@@ -1,5 +1,6 @@
_table . " WHERE foreign_id " .$foreign_id ;
diff --git a/library/classes/Company.class.php b/library/classes/Company.class.php
index f7fa68e8aef..a1af1d18298 100644
--- a/library/classes/Company.class.php
+++ b/library/classes/Company.class.php
@@ -51,7 +51,7 @@ function factory_company($foreign_id = "") {
$foreign_id= "like '%'";
}
else {
- $foreign_id= " = '" . mysql_real_escape_string(strval($foreign_id)) . "'";
+ $foreign_id= " = '" . add_escape_custom(strval($foreign_id)) . "'";
}
$a = new Address();
$sql = "SELECT id FROM " . $a->_table . " WHERE foreign_id " .$foreign_id ;
diff --git a/library/classes/Document.class.php b/library/classes/Document.class.php
index 642ef761814..e5dd18f5e25 100644
--- a/library/classes/Document.class.php
+++ b/library/classes/Document.class.php
@@ -154,7 +154,7 @@ function documents_factory($foreign_id = "") {
$foreign_id= "like '%'";
}
else {
- $foreign_id= " = '" . mysql_real_escape_string(strval($foreign_id)) . "'";
+ $foreign_id= " = '" . add_escape_custom(strval($foreign_id)) . "'";
}
$d = new Document();
@@ -185,7 +185,7 @@ function document_factory_url($url) {
die("An invalid URL was specified to crete a new document, this would only be caused if files are being deleted as you are working through the queue. '$filename'\n");
}
- $sql = "SELECT id FROM " . $d->_table . " WHERE url= '" . mysql_real_escape_string($url) ."'" ;
+ $sql = "SELECT id FROM " . $d->_table . " WHERE url= '" . add_escape_custom($url) ."'" ;
$result = $d->_db->Execute($sql);
if ($result && !$result->EOF) {
diff --git a/library/classes/InsuranceCompany.class.php b/library/classes/InsuranceCompany.class.php
index 25f66d23941..6d87d54ac23 100644
--- a/library/classes/InsuranceCompany.class.php
+++ b/library/classes/InsuranceCompany.class.php
@@ -305,11 +305,11 @@ function insurance_companies_factory ($city = "", $sort = "ORDER BY name, id") {
$city= "";
}
else {
- $city = " WHERE city = " . mysql_real_escape_string($foreign_id);
+ $city = " WHERE city = " . add_escape_custom($foreign_id);
}
$p = new InsuranceCompany();
$icompanies = array();
- $sql = "SELECT p.id, a.city FROM " . $p->_table . " as p INNER JOIN addresses as a on p.id = a.foreign_id " .$city . " " . mysql_real_escape_string($sort);
+ $sql = "SELECT p.id, a.city FROM " . $p->_table . " as p INNER JOIN addresses as a on p.id = a.foreign_id " .$city . " " . add_escape_custom($sort);
//echo $sql . "
";
$results = sqlQ($sql);
diff --git a/library/classes/Note.class.php b/library/classes/Note.class.php
index 99e1ed9683a..7d288b81c6e 100644
--- a/library/classes/Note.class.php
+++ b/library/classes/Note.class.php
@@ -79,7 +79,7 @@ function notes_factory($foreign_id = "") {
$foreign_id= "like '%'";
}
else {
- $foreign_id= " = '" . mysql_real_escape_string(strval($foreign_id)) . "'";
+ $foreign_id= " = '" . add_escape_custom(strval($foreign_id)) . "'";
}
$d = new note();
diff --git a/library/classes/Patient.class.php b/library/classes/Patient.class.php
index 589149d009c..699f73eef6e 100644
--- a/library/classes/Patient.class.php
+++ b/library/classes/Patient.class.php
@@ -45,7 +45,7 @@ function populate() {
$res = sqlQuery("SELECT providerID,fname,lname,mname ".
", DATE_FORMAT(DOB,'%m/%d/%Y') as date_of_birth ".
", pubpid ".
- " from " . $this->_table ." where pid =". mysql_real_escape_string($this->id));
+ " from " . $this->_table ." where pid =". add_escape_custom($this->id));
if (is_array($res)) {
$this->pubpid = $res['pubpid'];
$this->lname = $res['lname'];
diff --git a/library/classes/Pharmacy.class.php b/library/classes/Pharmacy.class.php
index abc2852dd4d..e0904cfc603 100644
--- a/library/classes/Pharmacy.class.php
+++ b/library/classes/Pharmacy.class.php
@@ -185,11 +185,11 @@ function pharmacies_factory ($city = "", $sort = "ORDER BY name") {
$city= "";
}
else {
- $city = " WHERE city = " . mysql_real_escape_string($foreign_id);
+ $city = " WHERE city = " . add_escape_custom($foreign_id);
}
$p = new Pharmacy();
$pharmacies = array();
- $sql = "SELECT p.id, a.city FROM " . $p->_table . " as p INNER JOIN addresses as a on p.id = a.foreign_id " .$city . " " . mysql_real_escape_string($sort);
+ $sql = "SELECT p.id, a.city FROM " . $p->_table . " as p INNER JOIN addresses as a on p.id = a.foreign_id " .$city . " " . add_escape_custom($sort);
//echo $sql . "
";
$results = sqlQ($sql);
diff --git a/library/classes/PhoneNumber.class.php b/library/classes/PhoneNumber.class.php
index 58257910af7..f2b810fac60 100644
--- a/library/classes/PhoneNumber.class.php
+++ b/library/classes/PhoneNumber.class.php
@@ -51,7 +51,7 @@ static function factory_phone_numbers($foreign_id = "") {
$foreign_id= "like '%'";
}
else {
- $foreign_id= " = '" . mysql_real_escape_string(strval($foreign_id)) . "'";
+ $foreign_id= " = '" . add_escape_custom(strval($foreign_id)) . "'";
}
$phone_numbers = array();
$p = new PhoneNumber();
diff --git a/library/classes/Prescription.class.php b/library/classes/Prescription.class.php
index 4980c2393fc..daf86297000 100644
--- a/library/classes/Prescription.class.php
+++ b/library/classes/Prescription.class.php
@@ -1,6 +1,7 @@
provider->id) . "'";
+ $sql = "SELECT * FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . add_escape_custom($this->provider->id) . "'";
$db = get_db();
$results = $db->Execute($sql);
if (!$results->EOF) {
@@ -568,7 +569,7 @@ function get_prescription_florida_display() {
$string .= $gnd . $this->provider->federal_drug_id . "\n";
- $sql = "SELECT * FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . mysql_real_escape_string($this->provider->id) . "'";
+ $sql = "SELECT * FROM users JOIN facility AS f ON f.name = users.facility where users.id ='" . add_escape_custom($this->provider->id) . "'";
$results = $db->Execute($sql);
if (!$results->EOF) {
@@ -622,8 +623,8 @@ static function prescriptions_factory($patient_id,
require_once (dirname(__FILE__) . "/../translation.inc.php");
$p = new Prescription();
$sql = "SELECT id FROM " . $p->_table . " WHERE patient_id = " .
- mysql_real_escape_string($patient_id) .
- " ORDER BY " . mysql_real_escape_string($order_by);
+ add_escape_custom($patient_id) .
+ " ORDER BY " . add_escape_custom($order_by);
$results = sqlQ($sql);
while ($row = mysql_fetch_array($results) ) {
$prescriptions[] = new Prescription($row['id']);
diff --git a/library/classes/Provider.class.php b/library/classes/Provider.class.php
index a497188ed48..93568739049 100644
--- a/library/classes/Provider.class.php
+++ b/library/classes/Provider.class.php
@@ -41,7 +41,7 @@ function Provider ($id = "", $prefix = "") {
}
function populate() {
- $res = sqlQuery("SELECT fname,lname,federaldrugid, specialty, npi, state_license_number FROM users where id =". mysql_real_escape_string($this->id));
+ $res = sqlQuery("SELECT fname,lname,federaldrugid, specialty, npi, state_license_number FROM users where id =". add_escape_custom($this->id));
if (is_array($res)) {
$this->lname = $res['lname'];
diff --git a/library/classes/Tree.class.php b/library/classes/Tree.class.php
index a76afc4e176..a65ef17425e 100644
--- a/library/classes/Tree.class.php
+++ b/library/classes/Tree.class.php
@@ -38,8 +38,8 @@ class Tree {
*/
function Tree($root,$root_type = ROOT_TYPE_ID) {
$this->_db = $GLOBALS['adodb']['db'];
- $this->_root = mysql_real_escape_string($root);
- $this->_root_type = mysql_real_escape_string($root_type);
+ $this->_root = add_escape_custom($root);
+ $this->_root_type = add_escape_custom($root_type);
$this->load_tree();
}
diff --git a/library/custom_template/ckeditor/_samples/assets/_posteddata.php b/library/custom_template/ckeditor/_samples/assets/_posteddata.php
index bb4b7eada16..0d052781cc6 100644
--- a/library/custom_template/ckeditor/_samples/assets/_posteddata.php
+++ b/library/custom_template/ckeditor/_samples/assets/_posteddata.php
@@ -32,10 +32,7 @@
foreach ( $postArray as $sForm => $value )
{
- if ( get_magic_quotes_gpc() )
- $postedValue = htmlspecialchars( stripslashes( $value ) ) ;
- else
- $postedValue = htmlspecialchars( $value ) ;
+ $postedValue = htmlspecialchars( $value ) ;
?>
|
diff --git a/library/formdata.inc.php b/library/formdata.inc.php
index a4f4e8e9208..125d8e38849 100644
--- a/library/formdata.inc.php
+++ b/library/formdata.inc.php
@@ -287,4 +287,13 @@ function strip_escape_custom($s) {
function formTrim($s) {
return formDataCore($s,true);
}
+
+/**
+ * Wrapper function for get_magic_quotes_gpc()
+ *
+ * @return int
+ */
+function check_magic_quotes() {
+ return get_magic_quotes_gpc();
+}
?>
diff --git a/library/patient.inc b/library/patient.inc
index e7b96520ec7..39519d05048 100644
--- a/library/patient.inc
+++ b/library/patient.inc
@@ -263,7 +263,7 @@ function getProviderInfo($providerID = "%", $providers_only = true, $facility =
}
$query = "select distinct id, username, lname, fname, authorized, info, facility " .
"from users where username != '' and active = 1 and id $command '" .
- mysql_real_escape_string($providerID) . "' " . $param1 . $param2;
+ add_escape_custom($providerID) . "' " . $param1 . $param2;
// sort by last name -- JRM June 2008
$query .= " ORDER BY lname, fname ";
$rez = sqlStatement($query);
@@ -294,7 +294,7 @@ function getCalendarProviderInfo($providerID = "%", $providers_only = true) {
}
$query = "select distinct id, username, lname, fname, authorized, info, facility " .
"from users where active = 1 and username != '' and id $command '" .
- mysql_real_escape_string($providerID) . "' " . $param1;
+ add_escape_custom($providerID) . "' " . $param1;
$rez = sqlStatement($query);
for($iter=0; $row=sqlFetchArray($rez); $iter++)
diff --git a/library/report.inc b/library/report.inc
index d6323eef22b..ed5e0ebbe99 100644
--- a/library/report.inc
+++ b/library/report.inc
@@ -295,8 +295,8 @@ function getPatientBillingEncounter($pid, $encounter) {
"LEFT JOIN users AS u ON " .
"( b.provider_id != 0 AND u.id = b.provider_id ) OR " .
"( b.provider_id = 0 AND u.id = $inv_provider ) " .
- "WHERE pid='" . mysql_real_escape_string($pid) . "' AND " .
- "encounter = '" . mysql_real_escape_string($encounter) .
+ "WHERE pid='" . add_escape_custom($pid) . "' AND " .
+ "encounter = '" . add_escape_custom($encounter) .
"' AND activity = '1' ORDER BY date";
/******************************************************************/
$res = sqlStatement($sql);
diff --git a/library/spreadsheet.inc.php b/library/spreadsheet.inc.php
index a954f997f85..711179f8dbb 100644
--- a/library/spreadsheet.inc.php
+++ b/library/spreadsheet.inc.php
@@ -22,7 +22,7 @@
// encode a string from a form field for database writing.
function form2db($fldval) {
$fldval = trim($fldval);
- if (!get_magic_quotes_gpc()) $fldval = addslashes($fldval);
+ $fldval = strip_escape_custom($fldval);
return $fldval;
}
@@ -34,7 +34,7 @@ function real2db($fldval) {
// Get the actual string from a form field.
function form2real($fldval) {
$fldval = trim($fldval);
- if (get_magic_quotes_gpc()) $fldval = stripslashes($fldval);
+ $fldval = strip_escape_custom($fldval);
return $fldval;
}