From 5f3fcd7be46bc91d264a83cdc5c39832ab349712 Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Thu, 20 Feb 2014 08:10:33 -0800
Subject: [PATCH] fix sql-injection vulnerability in CDR engine

---
 library/clinical_rules.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/clinical_rules.php b/library/clinical_rules.php
index 55b675259..400464483 100644
--- a/library/clinical_rules.php
+++ b/library/clinical_rules.php
@@ -1053,7 +1053,7 @@ function set_plan_activity_patient($plan,$type,$setting,$patient_id) {
   }
 
   // Update patient specific row
-  $query = "UPDATE `clinical_plans` SET `" . add_escape_custom($type) . "_flag`= ? WHERE id = ? AND pid = ?";
+  $query = "UPDATE `clinical_plans` SET `" . escape_sql_column_name($type."_flag",array("clinical_plans")) . "`= ? WHERE id = ? AND pid = ?";
   sqlStatementCdrEngine($query, array($setting,$plan,$patient_id) );
 
 }
-- 
2.11.4.GIT