From cd804e356adbf490c0d8a6a01c673eedb56a1887 Mon Sep 17 00:00:00 2001 From: bradymiller Date: Fri, 6 Mar 2015 17:54:09 -0800 Subject: [PATCH] some security fixes --- interface/reports/appointments_report.php | 2 +- interface/reports/appt_encounter_report.php | 4 ++-- interface/usergroup/facility_admin.php | 4 ++-- interface/usergroup/user_admin.php | 2 +- library/appointments.inc.php | 8 ++++---- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/interface/reports/appointments_report.php b/interface/reports/appointments_report.php index a216e572402..8b9ec463e26 100644 --- a/interface/reports/appointments_report.php +++ b/interface/reports/appointments_report.php @@ -365,7 +365,7 @@ function refreshme() { ?> -   +   diff --git a/interface/reports/appt_encounter_report.php b/interface/reports/appt_encounter_report.php index 18034d1219e..bff772b8ea6 100644 --- a/interface/reports/appt_encounter_report.php +++ b/interface/reports/appt_encounter_report.php @@ -106,7 +106,7 @@ function endDoctor(&$docrow) { $query .= "e.pc_eventDate = '$form_from_date' "; } if ($form_facility !== '') { - $query .= "AND e.pc_facility = '$form_facility' "; + $query .= "AND e.pc_facility = '" . add_escape_custom($form_facility) . "' "; } // $query .= "AND ( e.pc_catid = 5 OR e.pc_catid = 9 OR e.pc_catid = 10 ) " . $query .= "AND e.pc_pid != '' AND e.pc_apptstatus != '?' " . @@ -134,7 +134,7 @@ function endDoctor(&$docrow) { $query .= "fe.date >= '$form_from_date 00:00:00' AND fe.date <= '$form_from_date 23:59:59' "; } if ($form_facility !== '') { - $query .= "AND fe.facility_id = '$form_facility' "; + $query .= "AND fe.facility_id = '" . add_escape_custom($form_facility) . "' "; } $query .= ") ORDER BY docname, IFNULL(pc_eventDate, encdate), pc_startTime"; diff --git a/interface/usergroup/facility_admin.php b/interface/usergroup/facility_admin.php index e0e0eb3560b..d2959787511 100644 --- a/interface/usergroup/facility_admin.php +++ b/interface/usergroup/facility_admin.php @@ -134,7 +134,7 @@ function displayAlert() - + @@ -191,7 +191,7 @@ function displayAlert() 0) $disabled='disabled'; ?> diff --git a/interface/usergroup/user_admin.php b/interface/usergroup/user_admin.php index 6e50ebfd7ad..1b664066c41 100644 --- a/interface/usergroup/user_admin.php +++ b/interface/usergroup/user_admin.php @@ -550,7 +550,7 @@ function authorized_clicked() { ?>
-"> +"> diff --git a/library/appointments.inc.php b/library/appointments.inc.php index 0bb2cd6cddf..7be26a31139 100644 --- a/library/appointments.inc.php +++ b/library/appointments.inc.php @@ -82,8 +82,8 @@ function fetchAllEvents( $from_date, $to_date, $provider_id = null, $facility_id $facility_filter = ''; if ( $facility_id ) { - $event_facility_filter = " AND e.pc_facility = '$facility_id'"; - $provider_facility_filter = " AND u.facility_id = '$facility_id'"; + $event_facility_filter = " AND e.pc_facility = '" . add_escape_custom($facility_id) . "'"; //escape $facility_id + $provider_facility_filter = " AND u.facility_id = '" . add_escape_custom($facility_id) . "'"; //escape $facility_id $facility_filter = $event_facility_filter . $provider_facility_filter; } @@ -104,8 +104,8 @@ function fetchAppointments( $from_date, $to_date, $patient_id = null, $provider_ $facility_filter = ''; if ( $facility_id ) { - $event_facility_filter = " AND e.pc_facility = '$facility_id'"; - $provider_facility_filter = " AND u.facility_id = '$facility_id'"; + $event_facility_filter = " AND e.pc_facility = '" . add_escape_custom($facility_id) . "'"; // escape $facility_id + $provider_facility_filter = " AND u.facility_id = '" . add_escape_custom($facility_id) . "'"; // escape $facility_id $facility_filter = $event_facility_filter . $provider_facility_filter; }