Security fixes 25

DiscoverAndChange · Dec 5, 2015 · 841b17a · 841b17a
1 parent 3b9d2b3
commit 841b17a
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/interface/main/calendar/find_appt_popup.php b/interface/main/calendar/find_appt_popup.php
@@ -72,7 +72,7 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid) {
 
  $catslots = 1;
  if ($input_catid) {
- $srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = '$input_catid'");
+ $srow = sqlQuery("SELECT pc_duration FROM openemr_postcalendar_categories WHERE pc_catid = ?", array($input_catid) );
  if ($srow['pc_duration']) $catslots = ceil($srow['pc_duration'] / $slotsecs);
  }
 
@@ -126,21 +126,27 @@ function doOneDay($catid, $udate, $starttime, $duration, $prefcatid) {
  //
  $slots = array_pad(array(), $slotcount, 0);
 
+ $sqlBindArray = array();
+
  // Note there is no need to sort the query results.
  $query = "SELECT pc_eventDate, pc_endDate, pc_startTime, pc_duration, " .
  "pc_recurrtype, pc_recurrspec, pc_alldayevent, pc_catid, pc_prefcatid " .
  "FROM openemr_postcalendar_events " .
- "WHERE pc_aid = '$providerid' AND " .
+ "WHERE pc_aid = ? AND " .
  "pc_eid != '$eid' AND " .
  "((pc_endDate >= '$sdate' AND pc_eventDate < '$edate') OR " .
  "(pc_endDate = '0000-00-00' AND pc_eventDate >= '$sdate' AND pc_eventDate < '$edate'))";
+
+ array_push($sqlBindArray, $providerid);
+
  // phyaura whimmel facility filtering
  if ($_REQUEST['facility'] > 0 ) {
  $facility = $_REQUEST['facility'];
- $query .= " AND pc_facility = $facility";
+ $query .= " AND pc_facility = ?";
+ array_push($sqlBindArray, $facility);
  }
  // end facility filtering whimmel 29apr08
- $res = sqlStatement($query);
+ $res = sqlStatement($query, $sqlBindArray);
 
  while ($row = sqlFetchArray($res)) {
  $thistime = strtotime($row['pc_eventDate'] . " 00:00:00");