/** * Escape/sanitize a table name for a sql query.. * * This will escape/sanitize the table name for a sql query. It is done by whitelisting * all of the current tables in the openemr database. Note that if there is no match, then * it will die() and a error message will be sent to the screen and the error log. This * function should not be used for escaping tables outside the openemr database (should * use escape_identifier() function below for that scenario) * * @param string $s sql table name variable to be escaped/sanitized. * @return string Escaped table name variable. */ function escape_table_name($s) { $res = sqlStatementNoLog("SHOW TABLES"); $tables_array = array(); while ($row = sqlFetchArray($res)) { $keys_return = array_keys($row); $tables_array[] = $row[$keys_return[0]]; } // Now can escape(via whitelisting) the sql table name return escape_identifier($s, $tables_array, TRUE); }
case "Lab results": $odrstmt = " ORDER BY procedure_result_date asc"; break; case "Communication": $odrstmt = "ORDER BY ROUND((LENGTH(communications) - LENGTH(REPLACE(communications, ',', '')))/LENGTH(',')) asc, communications asc"; break; case "Demographics": $odrstmt = " ORDER BY patient_date asc"; //$odrstmt = " ROUND((LENGTH(communications) - LENGTH(REPLACE(communications, ',', '')))/LENGTH(',')) , communications"; break; } if (!empty($_REQUEST['sortby']) && !empty($_REQUEST['sortorder'])) { if ($_REQUEST['sortby'] == "communications") { $odrstmt = "ORDER BY ROUND((LENGTH(communications) - LENGTH(REPLACE(communications, ',', '')))/LENGTH(',')) " . escape_sort_order($_REQUEST['sortorder']) . ", communications " . escape_sort_order($_REQUEST['sortorder']); } else { $odrstmt = "ORDER BY " . escape_identifier($_REQUEST['sortby'], $sort, TRUE) . " " . escape_sort_order($_REQUEST['sortorder']); } } $sqlstmt = $sqlstmt . " " . $whr_stmt . " " . $odrstmt; //echo $sqlstmt."<hr>"; $result = sqlStatement($sqlstmt, $sqlBindArray); //print_r($result); $row_id = 1.1; //given to each row to identify and toggle $img_id = 1.2; $k = 1.3; if (sqlNumRows($result) > 0) { $patArr = array(); $patDataArr = array(); $smoke_codes_arr = getSmokeCodes(); while ($row = sqlFetchArray($result)) {