some security fixes

DiscoverAndChange · Mar 7, 2015 · cd804e3 · cd804e3
1 parent 2afa8fc
commit cd804e3
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 10 deletions.
diff --git a/interface/reports/appointments_report.php b/interface/reports/appointments_report.php
@@ -365,7 +365,7 @@ function refreshme() {
  ?>
  </td>
 
- <td class="detail">&nbsp;<?php echo $appointment['pc_hometext'] ?></td>
+ <td class="detail">&nbsp;<?php echo text($appointment['pc_hometext']) ?></td>
 
  </tr>
 

diff --git a/interface/reports/appt_encounter_report.php b/interface/reports/appt_encounter_report.php
@@ -106,7 +106,7 @@ function endDoctor(&$docrow) {
  $query .= "e.pc_eventDate = '$form_from_date' ";
  }
  if ($form_facility !== '') {
- $query .= "AND e.pc_facility = '$form_facility' ";
+ $query .= "AND e.pc_facility = '" . add_escape_custom($form_facility) . "' ";
  }
  // $query .= "AND ( e.pc_catid = 5 OR e.pc_catid = 9 OR e.pc_catid = 10 ) " .
  $query .= "AND e.pc_pid != '' AND e.pc_apptstatus != '?' " .
@@ -134,7 +134,7 @@ function endDoctor(&$docrow) {
  $query .= "fe.date >= '$form_from_date 00:00:00' AND fe.date <= '$form_from_date 23:59:59' ";
  }
  if ($form_facility !== '') {
- $query .= "AND fe.facility_id = '$form_facility' ";
+ $query .= "AND fe.facility_id = '" . add_escape_custom($form_facility) . "' ";
  }
  $query .= ") ORDER BY docname, IFNULL(pc_eventDate, encdate), pc_startTime";
 

diff --git a/interface/usergroup/facility_admin.php b/interface/usergroup/facility_admin.php
@@ -134,7 +134,7 @@ function displayAlert()
  <input type=hidden name=mode value="facility">
  <input type=hidden name=newmode value="admin_facility"> <!-- Diffrentiate Admin and add post backs -->
  <input type=hidden name=fid value="<?php echo $my_fid;?>">
- <?php $facility = sqlQuery("select * from facility where id='$my_fid'"); ?>
+ <?php $facility = sqlQuery("select * from facility where id=?", array($my_fid)); ?>
 
  <table border=0 cellpadding=0 cellspacing=1 style="width:630px;">
  <tr>
@@ -191,7 +191,7 @@ function displayAlert()
  </tr>
  <?php
  $disabled='';
- $resPBE=sqlStatement("select * from facility where primary_business_entity='1' and id!='".$my_fid."'");
+ $resPBE=sqlStatement("select * from facility where primary_business_entity='1' and id!=?", array($my_fid));
  if(sqlNumRows($resPBE)>0)
  $disabled='disabled';
  ?>

diff --git a/interface/usergroup/user_admin.php b/interface/usergroup/user_admin.php
@@ -550,7 +550,7 @@ function authorized_clicked() {
 ?>
 </table>
 
-<INPUT TYPE="HIDDEN" NAME="id" VALUE="<?php echo $_GET["id"]; ?>">
+<INPUT TYPE="HIDDEN" NAME="id" VALUE="<?php echo attr($_GET["id"]); ?>">
 <INPUT TYPE="HIDDEN" NAME="mode" VALUE="update">
 <INPUT TYPE="HIDDEN" NAME="privatemode" VALUE="user_admin">
 

diff --git a/library/appointments.inc.php b/library/appointments.inc.php
@@ -82,8 +82,8 @@ function fetchAllEvents( $from_date, $to_date, $provider_id = null, $facility_id
 
  $facility_filter = '';
  if ( $facility_id ) {
- $event_facility_filter = " AND e.pc_facility = '$facility_id'";
- $provider_facility_filter = " AND u.facility_id = '$facility_id'";
+ $event_facility_filter = " AND e.pc_facility = '" . add_escape_custom($facility_id) . "'"; //escape $facility_id
+ $provider_facility_filter = " AND u.facility_id = '" . add_escape_custom($facility_id) . "'"; //escape $facility_id 
  $facility_filter = $event_facility_filter . $provider_facility_filter;
  }
 
@@ -104,8 +104,8 @@ function fetchAppointments( $from_date, $to_date, $patient_id = null, $provider_
 
  $facility_filter = '';
  if ( $facility_id ) {
- $event_facility_filter = " AND e.pc_facility = '$facility_id'";
- $provider_facility_filter = " AND u.facility_id = '$facility_id'";
+ $event_facility_filter = " AND e.pc_facility = '" . add_escape_custom($facility_id) . "'"; // escape $facility_id
+ $provider_facility_filter = " AND u.facility_id = '" . add_escape_custom($facility_id) . "'"; // escape $facility_id
  $facility_filter = $event_facility_filter . $provider_facility_filter;
  }