bug fixins (openemr#2475)

sokogfb · Jun 9, 2019 · 7ebff5a · 7ebff5a
1 parent 5a2530a
commit 7ebff5a
Show file tree

Hide file tree

Showing 41 changed files with 651 additions and 630 deletions.
diff --git a/library/classes/Prescription.class.php b/library/classes/Prescription.class.php
@@ -402,27 +402,27 @@ function set_medication($med)
         }
 
         //below statements are bypassing the persist() function and being used directly in database statements, hence need to use the functions in library/formdata.inc.php
-    // they have already been run through populate() hence stripped of escapes, so now need to be escaped for database (add_escape_custom() function).
+        // they have already been run through populate() hence stripped of escapes, so now need to be escaped for database (add_escape_custom() function).
 
         //check if this drug is on the medication list
-        $dataRow = sqlQuery("select id from lists where type = 'medication' and activity = 1 and (enddate is null or cast(now() as date) < enddate) and upper(trim(title)) = upper(trim('" . add_escape_custom($this->drug) . "')) and pid = " . add_escape_custom($this->patient->id) . ' limit 1');
+        $dataRow = sqlQuery("select id from lists where type = 'medication' and activity = 1 and (enddate is null or cast(now() as date) < enddate) and upper(trim(title)) = upper(trim('" . add_escape_custom($this->drug) . "')) and pid = '" . add_escape_custom($this->patient->id) . "' limit 1");
 
         if ($med && !isset($dataRow['id'])) {
-            $dataRow = sqlQuery("select id from lists where type = 'medication' and activity = 0 and (enddate is null or cast(now() as date) < enddate) and upper(trim(title)) = upper(trim('" . add_escape_custom($this->drug) . "')) and pid = " . add_escape_custom($this->patient->id) . ' limit 1');
+            $dataRow = sqlQuery("select id from lists where type = 'medication' and activity = 0 and (enddate is null or cast(now() as date) < enddate) and upper(trim(title)) = upper(trim('" . add_escape_custom($this->drug) . "')) and pid = '" . add_escape_custom($this->patient->id) . "' limit 1");
 
             if (!isset($dataRow['id'])) {
                 //add the record to the medication list
-                sqlStatement("insert into lists(date,begdate,type,activity,pid,user,groupname,title) values (now(),cast(now() as date),'medication',1," . add_escape_custom($this->patient->id) . ",'" . $$_SESSION['authUser']. "','" . $$_SESSION['authProvider'] . "','" . add_escape_custom($this->drug) . "')");
+                sqlStatement("insert into lists(date,begdate,type,activity,pid,user,groupname,title) values (now(),cast(now() as date),'medication',1,'" . add_escape_custom($this->patient->id) . "','" . add_escape_custom($$_SESSION['authUser']) . "','" . add_escape_custom($$_SESSION['authProvider']) . "','" . add_escape_custom($this->drug) . "')");
             } else {
                 $dataRow = sqlQuery('update lists set activity = 1'
-                            . " ,user = '" . $$_SESSION['authUser']
-                            . "', groupname = '" . $$_SESSION['authProvider'] . "' where id = " . $dataRow['id']);
+                            . " ,user = '" . add_escape_custom($$_SESSION['authUser'])
+                            . "', groupname = '" . add_escape_custom($$_SESSION['authProvider']) . "' where id = '" . add_escape_custom($dataRow['id']) . "'");
             }
         } elseif (!$med && isset($dataRow['id'])) {
             //remove the drug from the medication list if it exists
             $dataRow = sqlQuery('update lists set activity = 0'
-                            . " ,user = '" . $$_SESSION['authUser']
-                            . "', groupname = '" . $$_SESSION['authProvider'] . "' where id = " . $dataRow['id']);
+                            . " ,user = '" . add_escape_custom($$_SESSION['authUser'])
+                            . "', groupname = '" . add_escape_custom($$_SESSION['authProvider']) . "' where id = '" . add_escape_custom($dataRow['id']) . "'");
         }
     }
 
@@ -805,7 +805,7 @@ function get_dispensation_count()
         }
 
         $refills_row = sqlQuery("SELECT count(*) AS count FROM drug_sales " .
-                    "WHERE prescription_id = '" . $this->id . "' AND quantity > 0");
+                    "WHERE prescription_id = ? AND quantity > 0", [$this->id]);
         return $refills_row['count'];
     }
 }// end of Prescription
diff --git a/library/classes/Provider.class.php b/library/classes/Provider.class.php
@@ -42,7 +42,7 @@ function __construct($id = "", $prefix = "")
 
     function populate()
     {
-        $res = sqlQuery("SELECT fname,lname,federaldrugid, specialty, npi, state_license_number FROM users where id =". add_escape_custom($this->id));
+        $res = sqlQuery("SELECT fname,lname,federaldrugid, specialty, npi, state_license_number FROM users where id ='" . add_escape_custom($this->id) . "'");
 
         if (is_array($res)) {
             $this->lname = $res['lname'];

diff --git a/library/classes/Tree.class.php b/library/classes/Tree.class.php
@@ -40,8 +40,8 @@ class Tree
     function __construct($root, $root_type = ROOT_TYPE_ID)
     {
         $this->_db = $GLOBALS['adodb']['db'];
-        $this->_root = add_escape_custom($root);
-        $this->_root_type = add_escape_custom($root_type);
+        $this->_root = $root;
+        $this->_root_type = $root_type;
         $this->load_tree();
     }
 
@@ -51,14 +51,14 @@ function load_tree()
         $tree = array();
         $tree_tmp = array();
 
-      //get the left and right value of the root node
-        $sql = "SELECT * FROM " . $this->_table . " WHERE id='".$root."'";
+        //get the left and right value of the root node
+        $sql = "SELECT * FROM " . $this->_table . " WHERE id=?";
 
         if ($this->root_type == ROOT_TYPE_NAME) {
-            $sql = "SELECT * FROM " . $this->_table . " WHERE name='".$root."'";
+            $sql = "SELECT * FROM " . $this->_table . " WHERE name=?";
         }
 
-        $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $result = $this->_db->Execute($sql, [$root]) or die("Error: " . text($this->_db->ErrorMsg()));
         $row = array();
 
         if ($result && !$result->EOF) {
@@ -67,12 +67,12 @@ function load_tree()
             $this->tree = array();
         }
 
-      // start with an empty right stack
+        // start with an empty right stack
         $right = array();
 
-      // now, retrieve all descendants of the root node
-        $sql = "SELECT * FROM " . $this->_table . " WHERE lft BETWEEN " . $row['lft'] . " AND " . $row['rght'] . " ORDER BY parent,name ASC;";
-        $result = $this->_db->Execute($sql);
+        // now, retrieve all descendants of the root node
+        $sql = "SELECT * FROM " . $this->_table . " WHERE lft BETWEEN ? AND ? ORDER BY parent,name ASC;";
+        $result = $this->_db->Execute($sql, [$row['lft'], $row['rght']]);
         $this->_id_name = array();
 
 
@@ -150,10 +150,10 @@ function load_tree()
     function rebuild_tree($parent, $left = null)
     {
 
-      //if no left is supplied assume the existing left is proper
+        //if no left is supplied assume the existing left is proper
         if ($left == null) {
-            $sql = "SELECT lft FROM " . $this->_table . " WHERE id='" . $parent . "';";
-            $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+            $sql = "SELECT lft FROM " . $this->_table . " WHERE id=?;";
+            $result = $this->_db->Execute($sql, [$parent]) or die("Error: " . text($this->_db->ErrorMsg()));
 
             if ($result && !$result->EOF) {
                 $left = $result->fields['lft'];
@@ -164,11 +164,11 @@ function rebuild_tree($parent, $left = null)
             }
         }
 
-      // get all children of this node
-        $sql = "SELECT id FROM " . $this->_table . " WHERE parent='" . $parent . "' ORDER BY id;";
-        $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        // get all children of this node
+        $sql = "SELECT id FROM " . $this->_table . " WHERE parent=? ORDER BY id;";
+        $result = $this->_db->Execute($sql, [$parent]) or die("Error: " . text($this->_db->ErrorMsg()));
 
-      // the right value of this node is the left value + 1
+        // the right value of this node is the left value + 1
         $right = $left+1;
 
         while ($result && !$result->EOF) {
@@ -181,13 +181,13 @@ function rebuild_tree($parent, $left = null)
             $result->MoveNext();
         }
 
-      // we've got the left value, and now that we've processed
-      // the children of this node we also know the right value
-        $sql = "UPDATE " . $this->_table . " SET lft=".$left.", rght=".$right." WHERE id='".$parent."';";
-      //echo $sql . "<br>";
-        $this->_db->Execute($sql) or die("Error: $sql" . $this->_db->ErrorMsg());
+        // we've got the left value, and now that we've processed
+        // the children of this node we also know the right value
+        $sql = "UPDATE " . $this->_table . " SET lft=?, rght=? WHERE id=?;";
+        //echo $sql . "<br>";
+        $this->_db->Execute($sql, [$left, $right, $parent]) or die("Error: " . text($sql) . " " . text($this->_db->ErrorMsg()));
 
-      // return the right value of this node + 1
+        // return the right value of this node + 1
         return $right+1;
     }
 
@@ -203,33 +203,30 @@ function rebuild_tree($parent, $left = null)
     function add_node($parent_id, $name, $value = "", $aco_spec = "patients|docs")
     {
 
-        $sql = "SELECT * from " . $this->_table . " where parent = '" . $parent_id . "' and name='" . $name . "'";
-        $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "SELECT * from " . $this->_table . " where parent = ? and name=?";
+        $result = $this->_db->Execute($sql, [$parent_id, $name]) or die("Error: " . text($this->_db->ErrorMsg()));
 
         if ($result && !$result->EOF) {
-            die("You cannot add a node with the name '" . $name ."' because one already exists under parent " . $parent_id . "<br>");
+            die("You cannot add a node with the name '" . text($name) ."' because one already exists under parent " . text($parent_id) . "<br>");
         }
 
-        $sql = "SELECT * from " . $this->_table . " where id = '" . $parent_id . "'";
-        $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "SELECT * from " . $this->_table . " where id = ?";
+        $result = $this->_db->Execute($sql, [$parent_id]) or die("Error: " . text($this->_db->ErrorMsg()));
 
         $next_right = 0;
 
         if ($result && !$result->EOF) {
             $next_right = $result->fields['rght'];
         }
 
-        $sql = "UPDATE " . $this->_table . " SET rght=rght+2 WHERE rght>=" . $next_right;
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
-        $sql = "UPDATE " . $this->_table . " SET lft=lft+2 WHERE lft>=" . $next_right;
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "UPDATE " . $this->_table . " SET rght=rght+2 WHERE rght>=?";
+        $this->_db->Execute($sql, [$next_right]) or die("Error: " . text($this->_db->ErrorMsg()));
+        $sql = "UPDATE " . $this->_table . " SET lft=lft+2 WHERE lft>=?";
+        $this->_db->Execute($sql, [$next_right]) or die("Error: " . text($this->_db->ErrorMsg()));
 
         $id = $this->_db->GenID($this->_table . "_seq");
-        $sql = "INSERT INTO " . $this->_table . " SET name='" . add_escape_custom($name) .
-        "', value='" . add_escape_custom($value) . "', aco_spec='" . add_escape_custom($aco_spec) .
-        "', lft='" . $next_right . "', rght='" . ($next_right + 1) .
-        "', parent='" . $parent_id . "', id='" . $id . "'";
-        $this->_db->Execute($sql) or die("Error: $sql :: " . $this->_db->ErrorMsg());
+        $sql = "INSERT INTO " . $this->_table . " SET name=?, value=?, aco_spec=?, lft=?, rght=?, parent=?, id=?";
+        $this->_db->Execute($sql, [$name, $value, $aco_spec, $next_right, ($next_right + 1), $parent_id, $id]) or die("Error: " . text($sql) . " :: " . text($this->_db->ErrorMsg()));
       //$this->rebuild_tree(1,1);
         $this->load_tree();
         return $id;
@@ -246,17 +243,14 @@ function add_node($parent_id, $name, $value = "", $aco_spec = "patients|docs")
     function edit_node($id, $name, $value = "", $aco_spec = "patients|docs")
     {
         $sql = "SELECT c2.id FROM " . $this->_table . " AS c1, " . $this->_table . " AS c2 WHERE " .
-        "c1.id = $id AND c2.id != c1.id AND c2.parent = c1.parent AND c2.name = '" .
-        add_escape_custom($name) . "'";
-        $result = $this->_db->Execute($sql) or die(xlt('Error') . ": " . $this->_db->ErrorMsg());
+        "c1.id = ? AND c2.id != c1.id AND c2.parent = c1.parent AND c2.name = ?";
+        $result = $this->_db->Execute($sql, [$id, $name]) or die(xlt('Error') . ": " . text($this->_db->ErrorMsg()));
         if ($result && !$result->EOF) {
               die(xlt('This name already exists under this parent.') . "<br>");
         }
 
-        $sql = "UPDATE " . $this->_table . " SET name = '" . add_escape_custom($name) .
-        "', value = '" . add_escape_custom($value) .
-        "', aco_spec = '" . add_escape_custom($aco_spec) . "' WHERE id = $id";
-        $this->_db->Execute($sql) or die(xlt('Error') . ": " . $this->_db->ErrorMsg());
+        $sql = "UPDATE " . $this->_table . " SET name = ?, value = ?, aco_spec = ? WHERE id = ?";
+        $this->_db->Execute($sql, [$name, $value, $aco_spec, $id]) or die(xlt('Error') . ": " . text($this->_db->ErrorMsg()));
         $this->load_tree();
         return $id;
     }
@@ -269,9 +263,9 @@ function edit_node($id, $name, $value = "", $aco_spec = "patients|docs")
     function delete_node($id)
     {
 
-        $sql = "SELECT * from " . $this->_table . " where id = '" . $id . "'";
-      //echo $sql . "<br>";
-        $result = $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "SELECT * from " . $this->_table . " where id = ?";
+        //echo $sql . "<br>";
+        $result = $this->_db->Execute($sql, [$id]) or die("Error: " . text($this->_db->ErrorMsg()));
 
         $left = 0;
         $right = 1;
@@ -283,28 +277,28 @@ function delete_node($id)
             $new_parent = $result->fields['parent'];
         }
 
-        $sql = "UPDATE " . $this->_table . " SET rght=rght-2 WHERE rght>" . $right;
-      //echo $sql . "<br>";
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "UPDATE " . $this->_table . " SET rght=rght-2 WHERE rght>?";
+        //echo $sql . "<br>";
+        $this->_db->Execute($sql, [$right]) or die("Error: " . text($this->_db->ErrorMsg()));
 
-        $sql = "UPDATE " . $this->_table . " SET lft=lft-2 WHERE lft>" . $right;
-      //echo $sql . "<br>";
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "UPDATE " . $this->_table . " SET lft=lft-2 WHERE lft>?";
+        //echo $sql . "<br>";
+        $this->_db->Execute($sql, [$right]) or die("Error: " . text($this->_db->ErrorMsg()));
 
-        $sql = "UPDATE " . $this->_table . " SET lft=lft-1, rght=rght-1 WHERE lft>" . $left . " and rght < " . $right;
-      //echo $sql . "<br>";
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "UPDATE " . $this->_table . " SET lft=lft-1, rght=rght-1 WHERE lft>? and rght < ?";
+        //echo $sql . "<br>";
+        $this->_db->Execute($sql, [$left, $right]) or die("Error: " . text($this->_db->ErrorMsg()));
 
-      //only update the childrens parent setting if the node has children
+        //only update the childrens parent setting if the node has children
         if ($right > ($left +1)) {
-            $sql = "UPDATE " . $this->_table . " SET parent='" . $new_parent . "' WHERE parent='" . $id . "'";
+            $sql = "UPDATE " . $this->_table . " SET parent=? WHERE parent=?";
             //echo $sql . "<br>";
-            $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+            $this->_db->Execute($sql, [$new_parent, $id]) or die("Error: " . text($this->_db->ErrorMsg()));
         }
 
-        $sql = "DELETE FROM " . $this->_table . " where id='" . $id . "'";
-      //echo $sql . "<br>";
-        $this->_db->Execute($sql) or die("Error: " . $this->_db->ErrorMsg());
+        $sql = "DELETE FROM " . $this->_table . " where id=?";
+        //echo $sql . "<br>";
+        $this->_db->Execute($sql, [$id]) or die("Error: " . text($this->_db->ErrorMsg()));
         $this->load_tree();
 
         return true;
@@ -376,18 +370,3 @@ function array_merge_n()
 
     return $array;
 }
-
-
-/*
-$db = $GLOBALS['adodb']['db'];
-$sql = "USE document;";
-$db->Execute($sql);
-$t = new Tree(1);
-echo "<pre>";
-print_r($t->tree);
-//$nid = $t->add_node(0,"test node2","test value");
-//$t->add_node($nid,"test child","another value");
-//$t->add_node($nid,"test child");
-print_r($t->tree);
-echo "</pre>";
-*/
diff --git a/modules/sms_email_reminder/batch_phone_notification.php b/modules/sms_email_reminder/batch_phone_notification.php
@@ -15,6 +15,9 @@
 // Updated by:	Maviq on 01/12/2010
 ////////////////////////////////////////////////////////////////////
 
+// comment below exit if plan to use this script
+exit;
+
 $backpic = "";
 //phone notification
 $ignoreAuth=1;
@@ -184,7 +187,7 @@ function cron_InsertNotificationLogEntry($prow, $phone_msg, $phone_gateway)
 
     $sql_loginsert = "INSERT INTO `notification_log` ( `iLogId` , `pid` , `pc_eid` , `message`, `type` , `patient_info` , `smsgateway_info` , `pc_eventDate` , `pc_endDate` , `pc_startTime` , `pc_endTime` , `dSentDateTime` ) VALUES ";
     $sql_loginsert .= "(NULL , ?, ?, ?, 'Phone', ?, ?, ?, ?, ?, ?, ?)";
-    $db_loginsert = ( sqlStatement($sql_loginsert, array($prow[pid], $prow[pc_eid], $message, $patient_info, $phone_gateway, $prow[pc_eventDate], $prow[pc_endDate], $prow[pc_startTime], $prow[pc_endTime], date("Y-m-d H:i:s"))));
+    $db_loginsert = ( sqlStatement($sql_loginsert, array($prow['pid'], $prow['pc_eid'], $message, $patient_info, $phone_gateway, $prow['pc_eventDate'], $prow['pc_endDate'], $prow['pc_startTime'], $prow['pc_endTime'], date("Y-m-d H:i:s"))));
 }
 
 ////////////////////////////////////////////////////////////////////