From 54dbea19f9f9d0c1ddae80e95a5f0bcde08d142c Mon Sep 17 00:00:00 2001
From: unknown <kevinyeh@alum.mit.edu>
Date: Fri, 30 Nov 2012 16:22:47 -0500
Subject: [PATCH] sql injection fix for chart_location_activity

---
 interface/reports/chart_location_activity.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/interface/reports/chart_location_activity.php b/interface/reports/chart_location_activity.php
index 3a23177b7..ca76821f6 100644
--- a/interface/reports/chart_location_activity.php
+++ b/interface/reports/chart_location_activity.php
@@ -61,8 +61,8 @@ $curr_pid = $pid;
 $ptrow = array();
 if (!empty($form_patient_id)) {
   $query = "SELECT pid, pubpid, fname, mname, lname FROM patient_data WHERE " .
-    "pubpid = '$form_patient_id' ORDER BY pid LIMIT 1";
-  $ptrow = sqlQuery($query);
+    "pubpid = ? ORDER BY pid LIMIT 1";
+  $ptrow = sqlQuery($query,array($form_patient_id));
   if (empty($ptrow)) {
     $curr_pid = 0;
     echo "<font color='red'>" . xl('Chart ID') . " '" . $form_patient_id . "' " . xl('not found!') . "</font><br />&nbsp;<br />";
@@ -73,8 +73,8 @@ if (!empty($form_patient_id)) {
 }
 else if (!empty($curr_pid)) {
   $query = "SELECT pid, pubpid, fname, mname, lname FROM patient_data WHERE " .
-    "pid = '$curr_pid'";
-  $ptrow = sqlQuery($query);
+    "pid = ?";
+  $ptrow = sqlQuery($query,array($curr_pid));
   $form_patient_id = $ptrow['pubpid'];
 }
 if (!empty($ptrow)) {
-- 
2.11.4.GIT