From 53b1e4a3cdbcab9716d4b2c9d805fd2aa93bbb38 Mon Sep 17 00:00:00 2001 From: bradymiller Date: Sat, 29 Jan 2011 14:45:50 -0800 Subject: [PATCH] CCR-CCD module: upgrade to new security model and bug fix --- ccr/createCCR.php | 8 ++++++++ ccr/createCCRActor.php | 3 --- ccr/createCCRAlerts.php | 1 - ccr/createCCRImmunization.php | 1 - ccr/createCCRMedication.php | 2 +- ccr/createCCRProblem.php | 1 - ccr/createCCRProcedure.php | 1 - ccr/createCCRResult.php | 1 - library/sql-ccr.inc | 39 +++++++++++++++++++++------------------ 9 files changed, 30 insertions(+), 27 deletions(-) diff --git a/ccr/createCCR.php b/ccr/createCCR.php index 78fc7d47e..8bbff453d 100644 --- a/ccr/createCCR.php +++ b/ccr/createCCR.php @@ -23,6 +23,14 @@ // along with this program; if not, write to the Free Software // // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // + +//SANITIZE ALL ESCAPES +$sanitize_all_escapes=true; +// + +//STOP FAKE REGISTER GLOBALS +$fake_register_globals=false; +// require_once(dirname(__FILE__) . "/../interface/globals.php"); require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); diff --git a/ccr/createCCRActor.php b/ccr/createCCRActor.php index de70b42e1..ed869f519 100755 --- a/ccr/createCCRActor.php +++ b/ccr/createCCRActor.php @@ -24,9 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // -//require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); -//require_once("uuid.php"); - $result = getActorData(); while ($row = sqlFetchArray($result)) { diff --git a/ccr/createCCRAlerts.php b/ccr/createCCRAlerts.php index a5b21bc8a..66625fb62 100644 --- a/ccr/createCCRAlerts.php +++ b/ccr/createCCRAlerts.php @@ -24,7 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // -//require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); $result = getAlertData(); $row = sqlFetchArray($result); diff --git a/ccr/createCCRImmunization.php b/ccr/createCCRImmunization.php index 24355cc4b..7e3c5001c 100644 --- a/ccr/createCCRImmunization.php +++ b/ccr/createCCRImmunization.php @@ -24,7 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // - //require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); $result = getImmunizationData(); $row = sqlFetchArray($result); diff --git a/ccr/createCCRMedication.php b/ccr/createCCRMedication.php index cc5042f2e..87fee61e4 100644 --- a/ccr/createCCRMedication.php +++ b/ccr/createCCRMedication.php @@ -24,7 +24,7 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // - //require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); + $result = getMedicationData(); $value = sqlFetchArray($result); diff --git a/ccr/createCCRProblem.php b/ccr/createCCRProblem.php index b5b38a098..c9c54292c 100644 --- a/ccr/createCCRProblem.php +++ b/ccr/createCCRProblem.php @@ -24,7 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // - //require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); $result = getProblemData(); $row = sqlFetchArray($result); diff --git a/ccr/createCCRProcedure.php b/ccr/createCCRProcedure.php index 33b2b9b2e..8d7e2a1ae 100644 --- a/ccr/createCCRProcedure.php +++ b/ccr/createCCRProcedure.php @@ -24,7 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // - //require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); $result = getProcedureData(); $row = sqlFetchArray($result); diff --git a/ccr/createCCRResult.php b/ccr/createCCRResult.php index 5aa495017..13b8e5d23 100644 --- a/ccr/createCCRResult.php +++ b/ccr/createCCRResult.php @@ -24,7 +24,6 @@ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // // ------------------------------------------------------------------------ // -//require_once(dirname(__FILE__) . "/../library/sql-ccr.inc"); $result = getResultData(); $row = sqlFetchArray($result); diff --git a/library/sql-ccr.inc b/library/sql-ccr.inc index 47129350d..06f3be247 100644 --- a/library/sql-ccr.inc +++ b/library/sql-ccr.inc @@ -45,9 +45,9 @@ function getMedicationData() { prescriptions.active, prescriptions.provider_id FROM prescriptions - WHERE prescriptions.patient_id = ".$pid; + WHERE prescriptions.patient_id = ?"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } @@ -62,9 +62,9 @@ function getImmunizationData() { immunizations.manufacturer, list_options.title FROM immunizations , list_options - WHERE immunizations.immunization_id = list_options.option_id and immunizations.patient_id = ".$pid." and list_id = 'immunizations' " ; + WHERE immunizations.immunization_id = list_options.option_id and immunizations.patient_id = ? and list_id = 'immunizations' " ; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } @@ -100,9 +100,9 @@ function getProcedureData() { on form_encounter.facility_id = facility.id left join users on form_encounter.provider_id = users.id - where lists.type = 'surgery' and lists.pid=".$pid; + where lists.type = 'surgery' and lists.pid=?"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } @@ -126,9 +126,9 @@ function getProblemData() { on fe.provider_id = u.id left join codes as cd on cd.code = SUBSTRING(l.diagnosis, LOCATE(':',l.diagnosis)+1) - where l.type = 'medical_problem' and l.pid=".$pid; + where l.type = 'medical_problem' and l.pid=?"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } @@ -153,9 +153,9 @@ function getAlertData() { on fe.provider_id = u.id left join codes as cd on cd.code = SUBSTRING(l.diagnosis, LOCATE(':',l.diagnosis)+1) - where l.type = 'allergy' and l.pid=".$pid; + where l.type = 'allergy' and l.pid=?"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } @@ -164,13 +164,16 @@ function getResultData() { global $pid; - $sql = " - select date, pid, groupname, ankle_able_to_bear_weight_steps, ankle_x_ray_interpretation - from form_ankleinjury - where pid =".$pid; + // Commented this out, since throws error because the form_ankleinjury table does not + // exist in default OpenEMR instance. + + //$sql = " + //select date, pid, groupname, ankle_able_to_bear_weight_steps, ankle_x_ray_interpretation + //from form_ankleinjury + //where pid =?"; - $result = sqlStatement($sql); - return $result; + //$result = sqlStatement($sql, array($pid) ); + //return $result; } @@ -180,9 +183,9 @@ function getActorData() { $sql = " select fname, lname, DOB, sex, pid, street, city, state, postal_code, phone_contact from patient_data - where pid=".$pid; + where pid=?"; - $result = sqlStatement($sql); + $result = sqlStatement($sql, array($pid) ); return $result; } -- 2.11.4.GIT