From 31b4c870ea84f411834abed13f313124afde3cbe Mon Sep 17 00:00:00 2001 From: Brady Miller Date: Fri, 12 Oct 2018 00:44:50 -0700 Subject: [PATCH] more bug fixes (#1917) --- interface/main/authorizations/authorizations.php | 78 ++++++++++------------ .../main/authorizations/authorizations_full.php | 60 ++++++++--------- interface/main/dated_reminders/dated_reminders.php | 40 +++++------ .../main/dated_reminders/dated_reminders_add.php | 60 ++++++++++------- .../main/dated_reminders/dated_reminders_log.php | 55 +++++++-------- library/dated_reminder_functions.php | 36 ++++------ 6 files changed, 157 insertions(+), 172 deletions(-) diff --git a/interface/main/authorizations/authorizations.php b/interface/main/authorizations/authorizations.php index 91d3f1dc9..5090f3573 100644 --- a/interface/main/authorizations/authorizations.php +++ b/interface/main/authorizations/authorizations.php @@ -2,32 +2,22 @@ /** * Authorizations script. * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Brady Miller - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Brady Miller + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ - -include_once("../../globals.php"); -include_once("$srcdir/log.inc"); -include_once("$srcdir/billing.inc"); -include_once("$srcdir/forms.inc"); -include_once("$srcdir/transactions.inc"); -include_once("$srcdir/lists.inc"); -include_once("$srcdir/patient.inc"); -include_once("$srcdir/options.inc.php"); +require_once("../../globals.php"); +require_once("$srcdir/log.inc"); +require_once("$srcdir/billing.inc"); +require_once("$srcdir/forms.inc"); +require_once("$srcdir/transactions.inc"); +require_once("$srcdir/lists.inc"); +require_once("$srcdir/patient.inc"); +require_once("$srcdir/options.inc.php"); // The number of authorizations to display in the quick view: // MAR 20041008 the full authorizations screen sucks... no links to the patient charts @@ -41,6 +31,10 @@ $imauthorized = $_SESSION['userauthorized'] || $see_auth > 2; // This authorizes everything for the specified patient. if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + $retVal = getProviderId($_SESSION['authUser']); newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, $_GET["pid"]); sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"])); @@ -85,7 +79,7 @@ if (isset($_GET["mode"]) && $_GET["mode"] == "authorize" && $imauthorized) { - + @@ -111,7 +105,7 @@ if ($imauthorized && $see_auth > 1) { if ($result1) { foreach ($result1 as $iter) { $authorize{$iter{"pid"}}{"billing"} .= "" . - htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"code_text"} . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -127,7 +121,7 @@ if ($imauthorized && $see_auth > 1) { if ($result2) { foreach ($result2 as $iter) { $authorize{$iter{"pid"}}{"transaction"} .= "" . - htmlspecialchars($iter{"title"} . ": " . (strterm($iter{"body"}, 25)) . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"title"} . ": " . (strterm($iter{"body"}, 25)) . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -144,7 +138,7 @@ if ($imauthorized && $see_auth > 1) { if ($result3) { foreach ($result3 as $iter) { $authorize{$iter{"pid"}}{"pnotes"} .= "" . - htmlspecialchars((strterm($iter{"body"}, 25)) . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text((strterm($iter{"body"}, 25)) . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -161,7 +155,7 @@ if ($imauthorized && $see_auth > 1) { if ($result4) { foreach ($result4 as $iter) { $authorize{$iter{"pid"}}{"forms"} .= "" . - htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"form_name"} . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -187,7 +181,7 @@ if ($authorize) { if ($count >= $N) { print "" . - htmlspecialchars(xl('Some authorizations were not displayed. Click here to view all'), ENT_NOQUOTES) . + xlt('Some authorizations were not displayed. Click here to view all') . "\n"; break; } @@ -196,13 +190,13 @@ if ($authorize) { // Clicking the patient name will load both frames for that patient, // as demographics.php takes care of loading the bottom frame. echo ""; + attr(urlencode($ppid)) . "' target='RTop' onclick='top.restoreSession()'>"; - echo "" . htmlspecialchars($name{"fname"}, ENT_NOQUOTES) . " " . - htmlspecialchars($name{"lname"}, ENT_NOQUOTES) . "
" . + echo "" . text($name{"fname"}) . " " . + text($name{"lname"}) . "
" . "" . - htmlspecialchars(xl('Authorize'), ENT_NOQUOTES) . "\n"; + "&pid=" . attr(urlencode($ppid)) . "&csrf_token_form=" . attr(urlencode(collectCsrfToken())) . "' onclick='top.restoreSession()'>" . + xlt('Authorize') . "\n"; /**** //Michael A Rowley MD 20041012. @@ -218,16 +212,16 @@ if ($authorize) { "select lname from users where id = ?", array($name['providerID']) )); - - echo "".htmlspecialchars(xl('Provider'), ENT_NOQUOTES).":
" . - htmlspecialchars($providerName{"lname"}, ENT_NOQUOTES) . "\n"; - echo "".htmlspecialchars(xl('Billing'), ENT_NOQUOTES).":
" . + + echo "".xlt('Provider').":
" . + text($providerName{"lname"}) . "\n"; + echo "".xlt('Billing').":
" . $patient{"billing"} . "\n"; - echo "".htmlspecialchars(xl('Transactions'), ENT_NOQUOTES).":
" . + echo "".xlt('Transactions').":
" . $patient{"transaction"} . "\n"; - echo "".htmlspecialchars(xl('Patient Notes'), ENT_NOQUOTES).":
" . + echo "".xlt('Patient Notes').":
" . $patient{"pnotes"} . "\n"; - echo "".htmlspecialchars(xl('Encounter Forms'), ENT_NOQUOTES).":
" . + echo "".xlt('Encounter Forms').":
" . $patient{"forms"} . "\n"; echo "\n"; @@ -263,7 +257,7 @@ var EditNote = function(note) { location.href = "/interface/patient_file/summary/pnotes_full.php?noteid=" + parts[1] + "&set_pid=" + parts[0] + "&active=1"; // no-op - alert(""); + alert(""); } diff --git a/interface/main/authorizations/authorizations_full.php b/interface/main/authorizations/authorizations_full.php index 03edb97d2..1d30ccfe3 100644 --- a/interface/main/authorizations/authorizations_full.php +++ b/interface/main/authorizations/authorizations_full.php @@ -2,28 +2,22 @@ /** * Authorizations full script. * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Brady Miller - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Brady Miller + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ - -include_once("../../globals.php"); -include_once("$srcdir/patient.inc"); +require_once("../../globals.php"); +require_once("$srcdir/patient.inc"); if (isset($_GET["mode"]) && $_GET["mode"] == "authorize") { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + newEvent("authorize", $_SESSION["authUser"], $_SESSION["authProvider"], 1, '', $_GET["pid"]); sqlStatement("update billing set authorized=1 where pid=?", array($_GET["pid"])); sqlStatement("update forms set authorized=1 where pid=?", array($_GET["pid"])); @@ -39,8 +33,8 @@ if (isset($_GET["mode"]) && $_GET["mode"] == "authorize") { - - + + " . - htmlspecialchars($iter{"user"}, ENT_NOQUOTES) . ": " . - htmlspecialchars($iter{"code_text"} . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"user"}) . ": " . + text($iter{"code_text"} . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -73,8 +67,8 @@ if ($res = sqlStatement("select * from transactions where authorized=0 and group if ($result2) { foreach ($result2 as $iter) { $authorize{$iter{"pid"}}{"transaction"} .= "" . - htmlspecialchars($iter{"user"}, ENT_NOQUOTES) . ": " . - htmlspecialchars($iter{"title"} . ": " . strterm($iter{"body"}, 25) . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"user"}) . ": " . + text($iter{"title"} . ": " . strterm($iter{"body"}, 25) . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -91,8 +85,8 @@ if (empty($GLOBALS['ignore_pnotes_authorization'])) { if ($result3) { foreach ($result3 as $iter) { $authorize{$iter{"pid"}}{"pnotes"} .= "" . - htmlspecialchars($iter{"user"}, ENT_NOQUOTES) . ": " . - htmlspecialchars(strterm($iter{"body"}, 25) . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"user"}) . ": " . + text(strterm($iter{"body"}, 25) . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -108,8 +102,8 @@ if ($res = sqlStatement("select * from forms where authorized=0 and groupname=?" if ($result4) { foreach ($result4 as $iter) { $authorize{$iter{"pid"}}{"forms"} .= "" . - htmlspecialchars($iter{"user"}, ENT_NOQUOTES) . ": " . - htmlspecialchars($iter{"form_name"} . " " . date("n/j/Y", strtotime($iter{"date"})), ENT_NOQUOTES) . + text($iter{"user"}) . ": " . + text($iter{"form_name"} . " " . date("n/j/Y", strtotime($iter{"date"}))) . "
\n"; } } @@ -125,16 +119,16 @@ if ($authorize) { while (list($ppid,$patient) = each($authorize)) { $name = getPatientData($ppid); - echo "". htmlspecialchars($name{"fname"} . " " . $name{"lname"}, ENT_NOQUOTES) . + echo "". text($name{"fname"} . " " . $name{"lname"}) . "
" . htmlspecialchars(xl('Authorize'), ENT_NOQUOTES) . "\n"; - echo "".htmlspecialchars(xl('Billing'), ENT_NOQUOTES). + attr(urlencode($ppid)) . "&csrf_token_form=" . attr(urlencode(collectCsrfToken())) . "' onclick='top.restoreSession()'>" . xlt('Authorize') . "\n"; + echo "".xlt('Billing'). ":
" . $patient{"billing"} . "\n"; - echo "".htmlspecialchars(xl('Transactions'), ENT_NOQUOTES). + echo "".xlt('Transactions'). ":
" . $patient{"transaction"} . "\n"; - echo "".htmlspecialchars(xl('Patient Notes'), ENT_NOQUOTES). + echo "".xlt('Patient Notes'). ":
" . $patient{"pnotes"} . "\n"; - echo "".htmlspecialchars(xl('Encounter Forms'), ENT_NOQUOTES). + echo "".xlt('Encounter Forms'). ":
" . $patient{"forms"} . "\n"; echo "\n"; $count++; diff --git a/interface/main/dated_reminders/dated_reminders.php b/interface/main/dated_reminders/dated_reminders.php index 0defe6035..4068afbbd 100644 --- a/interface/main/dated_reminders/dated_reminders.php +++ b/interface/main/dated_reminders/dated_reminders.php @@ -2,24 +2,16 @@ /** * Used for displaying dated reminders. * - * Copyright (C) 2012 tajemo.co.za - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Craig Bezuidenhout - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Craig Bezuidenhout + * @author Brady Miller + * @copyright Copyright (c) 2012 tajemo.co.za + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ + // removed as jquery is already called in messages page (if you need to use jQuery, uncomment it futher down) require_once('../../globals.php'); require_once("$srcdir/dated_reminder_functions.php"); @@ -43,6 +35,10 @@ require_once("$srcdir/dated_reminder_functions.php"); // Javascript will send a post // ---------------------------------------------------------------------------- if (isset($_POST['drR'])) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + // set as processed setReminderAsProcessed($_POST['drR']); // ----- get updated data @@ -108,12 +104,12 @@ if (isset($_POST['drR'])) { dlgopen('/interface/main/dated_reminders/dated_reminders_add.php', '_drAdd', 700, 500); }else{ top.restoreSession(); - dlgopen('/interface/main/dated_reminders/dated_reminders_add.php?mID='+id, '_drAdd', 700, 500); + dlgopen('/interface/main/dated_reminders/dated_reminders_add.php?mID='+encodeURIComponent(id)+'&csrf_token_form=', '_drAdd', 700, 500); } } function updateme(id){ - refreshInterval = ; + refreshInterval = ; if(id > 0){ $(".drTD").html('

...

'); } @@ -124,10 +120,14 @@ if (isset($_POST['drR'])) { // Send the skip_timeout_reset parameter to not count this as a manual entry in the // timing out mechanism in OpenEMR. $.post("/interface/main/dated_reminders/dated_reminders.php", - { drR: id, skip_timeout_reset: "1" }, + { + drR: id, + skip_timeout_reset: "1", + csrf_token_form: "" + }, function(data) { if(data == 'error'){ - alert(""); + alert(""); }else{ if(id > 0){ $(".drTD").html('

...

'); diff --git a/interface/main/dated_reminders/dated_reminders_add.php b/interface/main/dated_reminders/dated_reminders_add.php index 51aa67245..14fa7fde0 100644 --- a/interface/main/dated_reminders/dated_reminders_add.php +++ b/interface/main/dated_reminders/dated_reminders_add.php @@ -2,13 +2,13 @@ /** * Used for adding dated reminders. * - * @package OpenEMR - * @author Craig Bezuidenhout - * @author Brady Miller - * @copyright Copyright (C) 2012 tajemo.co.za - * @copyright Copyright (C) 2017 Brady Miller - * @link http://www.open-emr.org - */ + * @package OpenEMR + * @link http://www.open-emr.org + * @author Craig Bezuidenhout + * @author Brady Miller + * @copyright Copyright (c) 2012 tajemo.co.za + * @copyright Copyright (c) 2017-2018 Brady Miller + */ require_once("../../globals.php"); require_once("$srcdir/dated_reminder_functions.php"); @@ -53,6 +53,10 @@ $max_reminder_words=160; // ---------------- FOR FORWARDING MESSAGES -------------> if (isset($_GET['mID']) and is_numeric($_GET['mID'])) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + $forwarding = true; $this_message = getReminderById($_GET['mID']); } @@ -63,6 +67,10 @@ if (isset($_GET['mID']) and is_numeric($_GET['mID'])) { // --- add reminders if ($_POST) { + if (!verifyCsrfToken($_POST["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + // --- initialize $output as blank $output = ''; $output = '
';// needs in-line styling because stylesheets not yet initialized @@ -112,7 +120,7 @@ if ($_POST) { // ------------ 1) refresh parent window this updates if sent to self echo ' if (opener && !opener.closed && opener.updateme) opener.updateme("new");'; // ------------ 2) communicate with user - echo ' alert("'.addslashes(xl('Reminder Sent')).'");'; + echo ' alert("'.xls('Reminder Sent').'");'; // ------------ 3) close this window echo ' dlgclose();'; echo ''; @@ -137,10 +145,10 @@ if ($_POST) { // get current patient, first check if this is a forwarded message, if it is use the original pid if (isset($this_message['pid'])) { $patientID = (isset($this_message['pid']) ? $this_message['pid'] : 0); - $reminder_title = xlt("Forward this Reminder"); + $reminder_title = xl("Forward this Reminder"); } else { $patientID = (isset($pid) ? $pid : 0); - $reminder_title = xlt("Send a Reminder"); + $reminder_title = xl("Send a Reminder"); } ?> @@ -237,7 +245,7 @@ if (isset($this_message['pid'])) { }) // update word counter var messegeTextarea=$("#message")[0]; - limitText(messegeTextarea.form.message,messegeTextarea.form.countdown,); + limitText(messegeTextarea.form.message,messegeTextarea.form.countdown,); $('.datepicker').datetimepicker({ @@ -287,7 +295,7 @@ if (isset($this_message['pid'])) { border-radius: 5px; padding: 20px 5px !Important; } - + @@ -297,9 +305,11 @@ if (isset($this_message['pid'])) {

+ + +
@@ -327,7 +337,7 @@ if (isset($this_message['pid'])) { 0 AND id != ?', array(intval($_SESSION['authId']))); for ($i=2; $uRow=sqlFetchArray($uSQL); $i++) { - echo ''; + echo ''; } ?> @@ -339,7 +349,7 @@ if (isset($this_message['pid'])) {
@@ -395,16 +405,16 @@ if (isset($this_message['pid'])) {
- + placeholder=" : ">
- +
@@ -432,7 +442,7 @@ if (isset($this_message['pid'])) { $remindersArray[$RA['messageID']]['dDate'] = $RA['dDate']; } - echo '

',xlt('Messages You have sent Today'),'

'; + echo '

'.xlt('Messages You have sent Today').'

'; echo ' @@ -447,11 +457,11 @@ if (isset($this_message['pid'])) { foreach ($remindersArray as $RA) { echo ' - - - - - + + + + + '; } diff --git a/interface/main/dated_reminders/dated_reminders_log.php b/interface/main/dated_reminders/dated_reminders_log.php index 32c377627..72515ab2d 100644 --- a/interface/main/dated_reminders/dated_reminders_log.php +++ b/interface/main/dated_reminders/dated_reminders_log.php @@ -1,31 +1,20 @@ - * Copyright (C) 2017 Brady Miller - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Craig Bezuidenhout - * @author Brady Miller - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Craig Bezuidenhout + * @author Brady Miller + * @copyright Copyright (c) 2012 tajemo.co.za + * @copyright Copyright (c) 2017-2018 Brady Miller */ require_once("../../globals.php"); require_once("$srcdir/acl.inc"); require_once("$srcdir/dated_reminder_functions.php"); + use OpenEMR\Core\Header; $isAdmin =acl_check('admin', 'users'); @@ -35,6 +24,10 @@ ------------------- HANDLE POST --------------------- */ if ($_GET) { + if (!verifyCsrfToken($_GET["csrf_token_form"])) { + die(xlt('Authentication Error')); + } + if (!$isAdmin) { if (empty($_GET['sentBy']) and empty($_GET['sentTo'])) { $_GET['sentTo'] = array(intval($_SESSION['authId'])); @@ -74,15 +67,15 @@ if ($_GET) { foreach ($remindersArray as $RA) { echo ' - - - - - - - - - + + + + + + + + + '; } @@ -152,6 +145,8 @@ if ($_GET) {
+ +
@@ -173,7 +168,7 @@ if ($_GET) { ',text($user['fname'].' '.$user['mname'].' '.$user['lname']),''; + echo ''; } } ?> @@ -186,7 +181,7 @@ if ($_GET) { ',text($user['fname'].' '.$user['mname'].' '.$user['lname']),''; + echo ''; } } ?> diff --git a/library/dated_reminder_functions.php b/library/dated_reminder_functions.php index 265b15525..10f0585c1 100644 --- a/library/dated_reminder_functions.php +++ b/library/dated_reminder_functions.php @@ -2,24 +2,16 @@ /** * Contains functions used in the dated reminders. * - * Copyright (C) 2012 tajemo.co.za - * - * LICENSE: This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 3 - * of the License, or (at your option) any later version. - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * You should have received a copy of the GNU General Public License - * along with this program. If not, see ;. - * - * @package OpenEMR - * @author Craig Bezuidenhout - * @link http://www.open-emr.org + * @package OpenEMR + * @link http://www.open-emr.org + * @author Craig Bezuidenhout + * @author Brady Miller + * @copyright Copyright (c) 2012 tajemo.co.za + * @copyright Copyright (c) 2018 Brady Miller + * @license https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3 */ + /** * Get Portal Alerts function * @@ -75,8 +67,8 @@ function RemindersArray($days_to_show, $today, $alerts_to_show, $userID = false) JOIN `dated_reminders_link` drl ON dr.dr_id = drl.dr_id WHERE drl.to_id = ? AND dr.`message_processed` = 0 - AND dr.`dr_message_due_date` < ADDDATE(NOW(), INTERVAL $days_to_show DAY) - ORDER BY `dr_message_due_date` ASC , `message_priority` ASC LIMIT 0,$alerts_to_show", + AND dr.`dr_message_due_date` < ADDDATE(NOW(), INTERVAL " . escape_limit($days_to_show) . " DAY) + ORDER BY `dr_message_due_date` ASC , `message_priority` ASC LIMIT 0," . escape_limit($alerts_to_show), array($userID) ); @@ -140,7 +132,7 @@ function GetDueReminderCount($days_to_show, $today, $userID = false) JOIN `dated_reminders_link` drl ON dr.dr_id = drl.dr_id WHERE drl.to_id = ? AND dr.`message_processed` = 0 - AND dr.`dr_message_due_date` < ADDDATE(NOW(), INTERVAL $days_to_show DAY)", + AND dr.`dr_message_due_date` < ADDDATE(NOW(), INTERVAL " . escape_limit($days_to_show) . " DAY)", array($userID) ); @@ -214,13 +206,13 @@ function getRemindersHTML($today, $reminders = array()) // end check if reminder is due or overdue // apend to html string $pdHTML .= '

- ' . xlt('Forward') . ' - + ' . xlt('Forward') . ' + ' . xlt('Set As Completed') . ' ' . $warning . ' - ' . + ' . text($r['PatientName']) . ' ' . text($r['message']) . ' - [' . text($r['fromName']) . '] -- 2.11.4.GIT

',text($RA['messageID']),'',text($RA['ToName']),'',text($RA['PatientName']),'',text($RA['message']),'',text($RA['dDate']),''.text($RA['messageID']).''.text($RA['ToName']).''.text($RA['PatientName']).''.text($RA['message']).''.text($RA['dDate']).'
',text($RA['messageID']),'',text($RA['sDate']),'',text($RA['fromName']),'',text($RA['ToName']),'',text($RA['PatientName']),'',text($RA['message']),'',text($RA['dDate']),'',text($RA['pDate']),'',text($RA['processedByName']),''.text($RA['messageID']).''.text($RA['sDate']).''.text($RA['fromName']).''.text($RA['ToName']).''.text($RA['PatientName']).''.text($RA['message']).''.text($RA['dDate']).''.text($RA['pDate']).''.text($RA['processedByName']).'