function formDataCore($s, $isTrim = false) { //trim if selected if ($isTrim) { $s = trim($s); } //strip escapes $s = strip_escape_custom($s); //add escapes for safe database insertion $s = add_escape_custom($s); return $s; }
/** * Function that will display a patient finder widged, allowing * the user to input search parameters to find a patient id. */ function find_action($form_id, $form_name, $pid) { $isPid = false; //fix any magic quotes meddling $form_id = strip_escape_custom($form_id); $form_name = strip_escape_custom($form_name); $pid = strip_escape_custom($pid); //prevent javascript injection, whitespace and semi-colons are the worry $form_id = preg_replace("/[^A-Za-z0-9\\[\\]\\_\\']/iS", "", urldecode($form_id)); $form_name = preg_replace("/[^A-Za-z0-9\\[\\]\\_\\']/iS", "", urldecode($form_name)); $this->assign('form_id', $form_id); $this->assign('form_name', $form_name); if (!empty($pid)) { $isPid = true; } $this->assign('hidden_ispid', $isPid); return $this->fetch($GLOBALS['template_dir'] . "patient_finder/" . $this->template_mod . "_find.html"); }
function persist() { $sql = "REPLACE INTO " . $_prefix . $this->_table . " SET "; //echo "<br><br>"; $fields = sqlListFields($this->_table); $db = get_db(); $pkeys = $db->MetaPrimaryKeys($this->_table); foreach ($fields as $field) { $func = "get_" . $field; //echo "f: $field m: $func status: " . (is_callable(array($this,$func))? "yes" : "no") . "<br>"; if (is_callable(array($this, $func))) { $val = call_user_func(array($this, $func)); //modified 01-2010 by BGM to centralize to formdata.inc.php // have place several debug statements to allow standardized testing over next several months if (!is_array($val)) { //DEBUG LINE - error_log("ORDataObject persist before strip: ".$val, 0); $val = strip_escape_custom($val); //DEBUG LINE - error_log("ORDataObject persist after strip: ".$val, 0); } if (in_array($field, $pkeys) && empty($val)) { $last_id = generate_id(); call_user_func(array(&$this, "set_" . $field), $last_id); $val = $last_id; } if (!empty($val)) { //echo "s: $field to: $val <br>"; //modified 01-2010 by BGM to centralize to formdata.inc.php // have place several debug statements to allow standardized testing over next several months $sql .= " `" . $field . "` = '" . add_escape_custom(strval($val)) . "',"; //DEBUG LINE - error_log("ORDataObject persist after escape: ".add_escape_custom(strval($val)), 0); //DEBUG LINE - error_log("ORDataObject persist after escape and then stripslashes test: ".stripslashes(add_escape_custom(strval($val))), 0); //DEBUG LINE - error_log("ORDataObject original before the escape and then stripslashes test: ".strval($val), 0); } } } if (strrpos($sql, ",") == strlen($sql) - 1) { $sql = substr($sql, 0, strlen($sql) - 1); } //echo "<br>sql is: " . $sql . "<br /><br>"; sqlQuery($sql); return true; }
function populate_object(&$obj) { if (!is_object($obj)) { $this->function_argument_error(); } foreach ($_POST as $varname => $var) { $varname = preg_replace("/[^A-Za-z0-9_]/", "", $varname); $func = "set_" . $varname; if (!(strpos("_", $varname) === 0) && is_callable(array($obj, $func))) { //echo "c: $func on w: " . $var . "<br />"; //modified 01-2010 by BGM to centralize to formdata.inc.php // have place several debug statements to allow standardized testing over next several months if (!is_array($var)) { //DEBUG LINE - error_log("Controller populate before strip: ".$var, 0); $var = strip_escape_custom($var); //DEBUG LINE - error_log("Controller populate after strip: ".$var, 0); } call_user_func_array(array(&$obj, $func), array($var, $_POST)); } } return true; }
$plid = $_REQUEST['plid'] + 0; // pid $ymd = $_REQUEST['date']; if (empty($ymd)) { die("Internal error: date parameter is missing"); } $date = substr($ymd, 0, 4) . '-' . substr($ymd, 4, 2) . '-' . substr($ymd, 6, 2); $form_fitness = formData('form_fitness'); $form_issue = formData('form_issue') + 0; $form_to = formData('form_to'); $form_note = empty($_POST['form_note']) ? '' : $_POST['form_note']; $form_note = strip_escape_custom($form_note); $form_am = empty($_POST['form_am']) ? '' : $_POST['form_am']; $form_am = strip_escape_custom($form_am); $form_pm = empty($_POST['form_pm']) ? '' : $_POST['form_pm']; $form_pm = strip_escape_custom($form_pm); function gen_list_options($list_id, $default = '') { $res = sqlStatement("SELECT * FROM list_options WHERE " . "list_id = '{$list_id}' ORDER BY seq"); while ($row = sqlFetchArray($res)) { $key = $row['option_id']; echo " <option value='{$key}'"; if ($key == $default) { echo " selected"; } echo ">" . $row['title'] . "</option>\n"; } } $alertmsg = ''; // anything here pops up in an alert box // Get player info.
function form2real($fldval) { $fldval = trim($fldval); $fldval = strip_escape_custom($fldval); return $fldval; }
} else { echo "<a href='" . $GLOBALS['webroot'] . "/interface/main/main.php' target='Main' class='menu' onclick='top.restoreSession()'>"; } xl('Return to calendar', 'e'); ?> </a> <div id="calsearch_params"> <form name="theform" id="theform" action="<?php echo $this->_tpl_vars['FORM_ACTION']; ?> " method="POST"> <!-- onsubmit="return top.restoreSession()"> --> <?php xl('Keywords', 'e'); ?> : <input type="text" name="pc_keywords" id="pc_keywords" value="<?php echo htmlspecialchars(strip_escape_custom($_POST['pc_keywords']), ENT_QUOTES); ?> " /> <select name="pc_keywords_andor"> <option value="AND"><?php xl('AND', 'e'); ?> </option> <option value="OR"><?php xl('OR', 'e'); ?> </option> </select> <?php xl('IN', 'e'); ?>
// Tag style for stuff to hide if not an LBF layout. Currently just for the Source column. $lbfonly = substr($layout_id, 0, 3) == 'LBF' ? "" : "style='display:none;'"; // Handle the Form actions if ($_POST['formaction'] == "save" && $layout_id) { // If we are saving, then save. $fld = $_POST['fld']; for ($lino = 1; isset($fld[$lino]['id']); ++$lino) { $iter = $fld[$lino]; $field_id = formTrim($iter['id']); $data_type = formTrim($iter['data_type']); $listval = $data_type == 34 ? formTrim($iter['contextName']) : formTrim($iter['list_id']); // Skip conditions for the line are stored as a serialized array. $condarr = array(); for ($cix = 0; !empty($iter['condition_id'][$cix]); ++$cix) { $andor = empty($iter['condition_andor'][$cix]) ? '' : $iter['condition_andor'][$cix]; $condarr[$cix] = array('id' => strip_escape_custom($iter['condition_id'][$cix]), 'itemid' => strip_escape_custom($iter['condition_itemid'][$cix]), 'operator' => strip_escape_custom($iter['condition_operator'][$cix]), 'value' => strip_escape_custom($iter['condition_value'][$cix]), 'andor' => strip_escape_custom($andor)); } $conditions = empty($condarr) ? '' : serialize($condarr); if ($field_id) { sqlStatement("UPDATE layout_options SET " . "source = '" . formTrim($iter['source']) . "', " . "title = '" . formTrim($iter['title']) . "', " . "group_name = '" . formTrim($iter['group']) . "', " . "seq = '" . formTrim($iter['seq']) . "', " . "uor = '" . formTrim($iter['uor']) . "', " . "fld_length = '" . formTrim($iter['lengthWidth']) . "', " . "fld_rows = '" . formTrim($iter['lengthHeight']) . "', " . "max_length = '" . formTrim($iter['maxSize']) . "', " . "titlecols = '" . formTrim($iter['titlecols']) . "', " . "datacols = '" . formTrim($iter['datacols']) . "', " . "data_type= '{$data_type}', " . "list_id= '" . $listval . "', " . "list_backup_id= '" . formTrim($iter['list_backup_id']) . "', " . "edit_options = '" . formTrim($iter['edit_options']) . "', " . "default_value = '" . formTrim($iter['default']) . "', " . "description = '" . formTrim($iter['desc']) . "', " . "conditions = '" . add_escape_custom($conditions) . "', " . "validation = '" . formTrim($iter['validation']) . "' " . "WHERE form_id = '{$layout_id}' AND field_id = '{$field_id}'"); } } } else { if ($_POST['formaction'] == "addfield" && $layout_id) { // Add a new field to a specific group $data_type = formTrim($_POST['newdatatype']); $max_length = $data_type == 3 ? 3 : 255; $listval = $data_type == 34 ? formTrim($_POST['contextName']) : formTrim($_POST['newlistid']); sqlStatement("INSERT INTO layout_options (" . " form_id, source, field_id, title, group_name, seq, uor, fld_length, fld_rows" . ", titlecols, datacols, data_type, edit_options, default_value, description" . ", max_length, list_id, list_backup_id " . ") VALUES ( " . "'" . formTrim($_POST['layout_id']) . "'" . ",'" . formTrim($_POST['newsource']) . "'" . ",'" . formTrim($_POST['newid']) . "'" . ",'" . formTrim($_POST['newtitle']) . "'" . ",'" . formTrim($_POST['newfieldgroupid']) . "'" . ",'" . formTrim($_POST['newseq']) . "'" . ",'" . formTrim($_POST['newuor']) . "'" . ",'" . formTrim($_POST['newlengthWidth']) . "'" . ",'" . formTrim($_POST['newlengthHeight']) . "'" . ",'" . formTrim($_POST['newtitlecols']) . "'" . ",'" . formTrim($_POST['newdatacols']) . "'" . ",'{$data_type}'" . ",'" . formTrim($_POST['newedit_options']) . "'" . ",'" . formTrim($_POST['newdefault']) . "'" . ",'" . formTrim($_POST['newdesc']) . "'" . ",'" . formTrim($_POST['newmaxSize']) . "'" . ",'" . $listval . "'" . ",'" . formTrim($_POST['newbackuplistid']) . "'" . " )"); addOrDeleteColumn($layout_id, formTrim($_POST['newid']), TRUE); } else {
echo "<script language='JavaScript'>\n"; if ($info_msg) { echo " alert('{$info_msg}');\n"; } echo " window.close();\n"; echo " if (opener.refreshme) opener.refreshme();\n"; echo "</script></body></html>\n"; exit; } if ($userid) { $row = sqlQuery("SELECT * FROM users WHERE id = '{$userid}'"); } if ($type) { // note this only happens when its new // Set up type $row['abook_type'] = strip_escape_custom($type); } ?> <script language="JavaScript"> $(document).ready(function() { // customize the form via the type options typeSelect("<?php echo $row['abook_type']; ?> "); }); </script> <form method='post' name='theform' action='addrbook_edit.php?userid=<?php echo $userid;
} } } // End if { character found. return $s; } // if (!acl_check('admin', 'super')) die(htmlspecialchars(xl('Not authorized'))); // Get patient demographic info. $ptrow = sqlQuery("SELECT pd.*, " . "ur.fname AS ur_fname, ur.mname AS ur_mname, ur.lname AS ur_lname " . "FROM patient_data AS pd " . "LEFT JOIN users AS ur ON ur.id = pd.ref_providerID " . "WHERE pd.pid = ?", array($pid)); $hisrow = sqlQuery("SELECT * FROM history_data WHERE pid = ? " . "ORDER BY date DESC LIMIT 1", array($pid)); $enrow = array(); // Get some info for the currently selected encounter. if ($encounter) { $enrow = sqlQuery("SELECT * FROM form_encounter WHERE pid = ? AND " . "encounter = ?", array($pid, $encounter)); } $form_filename = strip_escape_custom($_REQUEST['form_filename']); $templatedir = "{$OE_SITE_DIR}/documents/doctemplates"; $templatepath = "{$templatedir}/{$form_filename}"; // Create a temporary file to hold the output. $fname = tempnam($GLOBALS['temporary_files_dir'], 'OED'); // Get mime type in a way that works with old and new PHP releases. $mimetype = 'application/octet-stream'; $ext = strtolower(array_pop(explode('.', $filename))); if ('dotx' == $ext) { // PHP does not seem to recognize this type. $mimetype = 'application/msword'; } else { if (function_exists('finfo_open')) { $finfo = finfo_open(FILEINFO_MIME_TYPE); $mimetype = finfo_file($finfo, $templatepath); finfo_close($finfo);
include_once "../../globals.php"; include_once "../../../library/api.inc"; include_once "../../../library/forms.inc"; include_once "../../../library/sql.inc"; include_once "./content_parser.php"; include_once "../../../library/formdata.inc.php"; if ($_GET["mode"] == "delete") { foreach ($_POST as $key => $val) { if (substr($key, 0, 3) == 'ch_' and $val = 'on') { $id = substr($key, 3); if ($_POST['delete']) { sqlInsert("delete from " . mitigateSqlTableUpperCase("form_CAMOS") . " where id={$id}"); sqlInsert("delete from forms where form_name like 'CAMOS%' and form_id={$id}"); } if ($_POST['update']) { // Replace the placeholders before saving the form. This was changed in version 4.0. Previous to this, placeholders // were submitted into the database and converted when viewing. All new notes will now have placeholders converted // before being submitted to the database. Will also continue to support placeholder conversion on report // views to support notes within database that still contain placeholders (ie. notes that were created previous to // version 4.0). $content = strip_escape_custom($_POST['textarea_' . ${id}]); $content = add_escape_custom(replace($pid, $encounter, $content)); sqlInsert("update " . mitigateSqlTableUpperCase("form_CAMOS") . " set content='{$content}' where id={$id}"); } } } } $_SESSION["encounter"] = $encounter; formHeader("Redirecting...."); formJump(); formFooter();
addPnote($patient_id, $note, $userauthorized, '1', $_POST['form_note_type'], $_POST['form_note_to']); } // end post patient note } $action_taken = true; } // end copy to chart if ($_POST['form_cb_forward']) { $form_from = trim($_POST['form_from']); $form_to = trim($_POST['form_to']); $form_fax = trim($_POST['form_fax']); $form_message = trim($_POST['form_message']); $form_finemode = $_POST['form_finemode'] ? '-m' : '-l'; $form_from = strip_escape_custom($form_from); $form_to = strip_escape_custom($form_to); $form_message = strip_escape_custom($form_message); // Generate a cover page using enscript. This can be a cool thing // to do, as enscript is very powerful. // $tmp1 = array(); $tmp2 = 0; $tmpfn1 = tempnam("/tmp", "fax1"); $tmpfn2 = tempnam("/tmp", "fax2"); $tmph = fopen($tmpfn1, "w"); $cpstring = ''; $fh = fopen($GLOBALS['OE_SITE_DIR'] . "/faxcover.txt", 'r'); while (!feof($fh)) { $cpstring .= fread($fh, 8192); } fclose($fh); $cpstring = str_replace('{CURRENT_DATE}', date('F j, Y'), $cpstring);
// skip if it came from the database if ($iter["del"]) { continue; } // skip if Delete was checked $ndc_info = ''; if ($iter['ndcnum']) { $ndc_info = 'N4' . trim($iter['ndcnum']) . ' ' . $iter['ndcuom'] . trim($iter['ndcqty']); } // $fee = 0 + trim($iter['fee']); $units = max(1, intval(trim($iter['units']))); $fee = sprintf('%01.2f', (0 + trim($iter['price'])) * $units); if ($iter['code_type'] == 'COPAY' && $fee > 0) { $fee = 0 - $fee; } echoLine(++$bill_lino, $iter["code_type"], $iter["code"], trim($iter["mod"]), $ndc_info, $iter["auth"], $iter["del"], $units, $fee, NULL, FALSE, NULL, $iter["justify"], 0 + $iter['provid'], strip_escape_custom($iter['notecodes'])); } } // Generate lines for items already in the drug_sales table for this encounter. // $query = "SELECT * FROM drug_sales WHERE " . "pid = '{$pid}' AND encounter = '{$encounter}' " . "ORDER BY sale_id"; $sres = sqlStatement($query); $prod_lino = 0; while ($srow = sqlFetchArray($sres)) { ++$prod_lino; $pline = $_POST['prod']["{$prod_lino}"]; $del = $pline['del']; // preserve Delete if checked $sale_id = $srow['sale_id']; $drug_id = $srow['drug_id']; $units = $srow['quantity'];
<form method='post' name='theform' id='theform' action='encounters_report.php'> <div id="report_parameters"> <table> <tr> <td width='550px'> <div style='float:left'> <table class='text'> <tr> <td class='label'> <?php xl('Facility','e'); ?>: </td> <td> <?php dropdown_facility(strip_escape_custom($form_facility), 'form_facility', true); ?> </td> <td class='label'> <?php xl('Provider','e'); ?>: </td> <td> <?php // Build a drop-down list of providers. // $query = "SELECT id, lname, fname FROM users WHERE ". "authorized = 1 $provider_facility_filter ORDER BY lname, fname"; //(CHEMED) facility filter $ures = sqlStatement($query);
<?php xl('Specialty', 'e'); ?> : <input type='text' name='form_specialty' size='10' value='<?php echo htmlspecialchars(strip_escape_custom($_POST['form_specialty']), ENT_QUOTES); ?> ' class='inputtext' title='<?php xl("Any part of the desired specialty", "e"); ?> ' /> <?php echo xl('Type') . ": "; // Generates a select list named form_abook_type: echo generate_select_list("form_abook_type", "abook_type", strip_escape_custom($_REQUEST['form_abook_type']), '', 'All'); ?> <input type='checkbox' name='form_external' value='1'<?php if ($form_external) { echo ' checked'; } ?> title='<?php xl("Omit internal users?", "e"); ?> ' /> <?php xl('External Only', 'e'); ?> <input type='submit' class='button' name='form_search' value='<?php
</option> <option value="DOB"<?php if ($searchby == 'DOB') { echo ' selected'; } ?> ><?php xl('DOB', 'e'); ?> </option> </select> <?php xl('for:', 'e'); ?> <input type='text' id='searchparm' name='searchparm' size='12' value='<?php echo htmlspecialchars(strip_escape_custom($_REQUEST['searchparm']), ENT_QUOTES); ?> ' title='<?php xl('If name, any part of lastname or lastname,firstname', 'e'); ?> '> <input type='submit' id="submitbtn" value='<?php xl('Search', 'e'); ?> '> <!-- <input type='button' value='<?php xl('Close', 'e'); ?> ' onclick='window.close()' /> -->
} } ?> <table><tr><td><span class="title"><?php xl('Messages', 'e'); ?> </span> <a class='more' href=<?php echo $lnkvar; ?> </a></td></tr></table><br> <?php switch ($task) { case "add": // Add a new message for a specific patient; the message is documented in Patient Notes. // Add a new message; it's treated as a new note in Patient Notes. $note = strip_escape_custom($_POST['note']); $noteid = formData("noteid"); $form_note_type = formData("form_note_type"); $assigned_to = formData("assigned_to"); $form_message_status = formData("form_message_status"); $reply_to = formData("reply_to"); $userauthorized = formData("userauthorized"); if ($noteid) { updatePnote($noteid, $note, $form_note_type, $assigned_to); sqlQuery("update pnotes set message_status='" . $form_message_status . "' where id = '" . $noteid . "'"); $noteid = ''; } else { $noteid = addPnote($reply_to, $note, $userauthorized, '1', $form_note_type, $assigned_to); sqlQuery("update pnotes set message_status='" . $form_message_status . "' where id = '{$noteid}'"); } break;
$MAXSHOW = 100; // maximum number of results to display at once // Construct query and save search parameters as form fields. // An interesting requirement is to sort on the number of matching fields. $message = ""; $numfields = 0; $relevance = "0"; $where = "1 = 0"; foreach ($_REQUEST as $key => $value) { if (substr($key, 0, 3) != 'mf_') { continue; } // "match field" $fldname = substr($key, 3); $avalue = formDataCore($value); $hvalue = htmlspecialchars(strip_escape_custom($value)); // pubpid requires special treatment. Match on that is fatal. if ($fldname == 'pubpid') { $relevance .= " + 1000 * ( {$fldname} LIKE '{$avalue}' )"; } else { $relevance .= " + ( {$fldname} LIKE '{$avalue}' )"; } $where .= " OR {$fldname} LIKE '{$avalue}'"; echo "<input type='hidden' name='{$key}' value='{$hvalue}' />\n"; ++$numfields; } $sql = "SELECT *, ( {$relevance} ) AS relevance, " . "DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS " . "FROM patient_data WHERE {$where} " . "ORDER BY relevance DESC, lname, fname, mname " . "LIMIT {$fstart}, {$MAXSHOW}"; $rez = sqlStatement($sql); $result = array(); while ($row = sqlFetchArray($rez)) { $result[] = $row;
$N = 10; $mode = $_GET['mode']; $type = $_GET['type']; $modifier = $_GET['modifier']; $units = $_GET['units']; $fee = $_GET['fee']; $code = $_GET['code']; $text = $_GET['text']; if (isset($mode)) { if ($mode == "add") { if (strtolower($type) == "copay") { addBilling($encounter, $type, sprintf("%01.2f", $code), strip_escape_custom($text), $pid, $userauthorized, $_SESSION['authUserID'], $modifier, $units, sprintf("%01.2f", 0 - $code)); } elseif (strtolower($type) == "other") { addBilling($encounter, $type, $code, strip_escape_custom($text), $pid, $userauthorized, $_SESSION['authUserID'], $modifier, $units, sprintf("%01.2f", $fee)); } else { addBilling($encounter, $type, $code, strip_escape_custom($text), $pid, $userauthorized, $_SESSION['authUserID'], $modifier, $units, $fee); } } } ?> <html> <head> <?php html_header_show(); ?> <link rel="stylesheet" href="<?php echo $css_header; ?> " type="text/css"> </head> <body class="body_bottom">
if ($ALLOW_DELETE && !$debug) { foreach ($_POST['form_del'] as $arseq => $dummy) { row_delete("ar_activity", "pid = '{$patient_id}' AND " . "encounter = '{$encounter_id}' AND sequence_no = '{$arseq}'"); } } } $paytotal = 0; foreach ($_POST['form_line'] as $code => $cdata) { if (!$INTEGRATED_AR) { $thissrc = trim($cdata['src']); $thisdate = trim($cdata['date']); } $thispay = trim($cdata['pay']); $thisadj = trim($cdata['adj']); $thisins = trim($cdata['ins']); $reason = strip_escape_custom($cdata['reason']); // Get the adjustment reason type. Possible values are: // 1 = Charge adjustment // 2 = Coinsurance // 3 = Deductible // 4 = Other pt resp // 5 = Comment $reason_type = '1'; if ($reason) { $tmp = sqlQuery("SELECT option_value FROM list_options WHERE " . "list_id = 'adjreason' AND " . "option_id = '" . add_escape_custom($reason) . "'"); if (empty($tmp['option_value'])) { // This should not happen but if it does, apply old logic. if (preg_match("/To copay/", $reason)) { $reason_type = 2; } else { if (preg_match("/To ded'ble/", $reason)) {
function oresRawData($name, $index) { $s = isset($_POST[$name][$index]) ? $_POST[$name][$index] : ''; return trim(strip_escape_custom($s)); }
$tmp = sqlQuery("SELECT users.id FROM forms, users WHERE " . "forms.pid = '{$pid}' AND forms.encounter = '{$encounter}' AND " . "forms.formdir='newpatient' AND users.username = forms.user AND " . "users.authorized = 1"); $provid = $tmp['id'] ? $tmp['id'] : $_SESSION["authUserID"]; if (strtolower($type) == "copay") { addBilling($encounter, $type, sprintf("%01.2f", $code), strip_escape_custom($payment_method), $pid, $userauthorized, $provid, $modifier, $units, sprintf("%01.2f", 0 - $code)); } elseif (strtolower($type) == "other") { addBilling($encounter, $type, $code, strip_escape_custom($text), $pid, $userauthorized, $provid, $modifier, $units, sprintf("%01.2f", $fee)); } else { $ndc_info = ''; // If HCPCS, get and save default NDC data. if (strtolower($type) == "hcpcs") { $tmp = sqlQuery("SELECT ndc_info FROM billing WHERE " . "code_type = 'HCPCS' AND code = '{$code}' AND ndc_info LIKE 'N4%' " . "ORDER BY date DESC LIMIT 1"); if (!empty($tmp)) { $ndc_info = $tmp['ndc_info']; } } addBilling($encounter, $type, $code, strip_escape_custom($text), $pid, $userauthorized, $provid, $modifier, $units, $fee, $ndc_info); } } elseif ($mode == "justify") { $diags = $_POST['code']['diag']; $procs = $_POST['code']['proc']; $sql = array(); if (!empty($procs) && !empty($diags)) { $sql = array(); foreach ($procs as $proc) { $justify_string = ""; foreach ($diags as $diag) { $justify_string .= $diag . ":"; } $sql[] = "UPDATE billing set justify = concat(justify,'" . add_escape_custom($justify_string) . "') where encounter = '" . add_escape_custom($_POST['encounter_id']) . "' and pid = '" . add_escape_custom($_POST['patient_id']) . "' and code = '" . add_escape_custom($proc) . "'"; } }
$data = $_POST["G1_{$prefix}{$qcode}"] * 7 + $_POST["G2_{$prefix}{$qcode}"]; } } else { $data = $_POST["{$prefix}{$qcode}"]; } if (!isset($data) || $data === '') { continue; } if (!is_array($data)) { $data = array($data); } foreach ($data as $datum) { // Note this will auto-assign the seq value. sqlBeginTrans(); $answer_seq = sqlQuery("SELECT IFNULL(MAX(answer_seq),0) + 1 AS increment FROM procedure_answers WHERE procedure_order_id = ? AND procedure_order_seq = ? AND question_code = ? ", array($formid, $poseq, $qcode)); sqlStatement("INSERT INTO procedure_answers SET " . "procedure_order_id = ?, " . "procedure_order_seq = ?, " . "question_code = ?, " . "answer_seq = ?, " . "answer = ?", array($formid, $poseq, $qcode, $answer_seq['increment'], strip_escape_custom($datum))); sqlCommitTrans(); } } } $alertmsg = ''; if ($_POST['bn_xmit']) { $hl7 = ''; $alertmsg = gen_hl7_order($formid, $hl7); if (empty($alertmsg)) { $alertmsg = send_hl7_order($ppid, $hl7); } if (empty($alertmsg)) { sqlStatement("UPDATE procedure_order SET date_transmitted = NOW() WHERE " . "procedure_order_id = ?", array($formid)); } }
function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : strip_escape_custom($value); return $value; }
<?php // This program is free software; you can redistribute it and/or // modify it under the terms of the GNU General Public License // as published by the Free Software Foundation; either version 2 // of the License, or (at your option) any later version. include_once "../../globals.php"; include_once "{$srcdir}/patient.inc"; include_once "{$srcdir}/formdata.inc.php"; $fstart = $_REQUEST['fstart'] + 0; $popup = empty($_REQUEST['popup']) ? 0 : 1; $message = strip_escape_custom($_GET['message']); ?> <html> <head> <?php html_header_show(); ?> <link rel=stylesheet href="<?php echo $css_header; ?> " type="text/css"> <style> form { padding: 0px; margin: 0px; } #searchCriteria { text-align: center;
<?php xl('Specialty', 'e'); ?> : <input type='text' name='form_specialty' size='10' value='<?php echo htmlspecialchars(strip_escape_custom($_POST['form_specialty']), ENT_QUOTES); ?> ' class='inputtext' title='<?php xl("Any part of the desired specialty", "e"); ?> ' /> <?php echo xl('Type') . ": "; // Generates a select list named form_abook_type: generate_form_field(array('data_type' => 1, 'field_id' => 'abook_type', 'list_id' => 'abook_type', 'empty_title' => 'All'), strip_escape_custom($_REQUEST['form_abook_type'])); ?> <input type='checkbox' name='form_external' value='1'<?php if ($form_external) { echo ' checked'; } ?> title='<?php xl("Omit internal users?", "e"); ?> ' /> <?php xl('External Only', 'e'); ?> <input type='submit' class='button' name='form_search' value='<?php
<table> <tr> <td width='660px'> <div style='float:left'> <table class='text'> <tr> <td class='label'> <?php xl('Facility', 'e'); ?> : </td> <td> <?php dropdown_facility(strip_escape_custom($form_facility), 'form_facility'); ?> </td> <td class='label'> <?php xl('Provider', 'e'); ?> : </td> <td> <?php if (acl_check('acct', 'rep_a')) { // Build a drop-down list of providers. // $query = "select id, lname, fname from users where " . "authorized = 1 order by lname, fname"; $res = sqlStatement($query);
<html> <head> <?php html_header_show(); // If we are saving user_specific globals. // if ($_POST['form_save'] && $_GET['mode'] == "user") { $i = 0; foreach ($GLOBALS_METADATA as $grpname => $grparr) { if (in_array($grpname, $USER_SPECIFIC_TABS)) { foreach ($grparr as $fldid => $fldarr) { if (in_array($fldid, $USER_SPECIFIC_GLOBALS)) { list($fldname, $fldtype, $flddef, $flddesc) = $fldarr; $label = "global:" . $fldid; $fldvalue = trim(strip_escape_custom($_POST["form_{$i}"])); setUserSetting($label, $fldvalue, $_SESSION['authId'], FALSE); if ($_POST["toggle_{$i}"] == "YES") { removeUserSetting($label); } ++$i; } } } } echo "<script type='text/javascript'>"; echo "parent.left_nav.location.reload();"; echo "parent.Title.location.reload();"; echo "if(self.name=='RTop'){"; echo "parent.RBot.location.reload();"; echo "}else{";
<?php //------------This file inserts your field data into the MySQL database include_once "../../globals.php"; include_once "../../../library/api.inc"; include_once "../../../library/forms.inc"; include_once "../../../library/sql.inc"; include_once "content_parser.php"; include_once "../../../library/formdata.inc.php"; $field_names = array('category' => formData("category"), 'subcategory' => formData("subcategory"), 'item' => formData("item"), 'content' => strip_escape_custom($_POST['content'])); $camos_array = array(); process_commands($field_names['content'], $camos_array); $CAMOS_form_name = "CAMOS-" . $field_names['category'] . '-' . $field_names['subcategory'] . '-' . $field_names['item']; if ($encounter == "") { $encounter = date("Ymd"); } if (preg_match("/^[\\s\\r\\n\\\\r\\\\n]*\$/", $field_names['content']) == 0) { //make sure blanks do not get submitted // Replace the placeholders before saving the form. This was changed in version 4.0. Previous to this, placeholders // were submitted into the database and converted when viewing. All new notes will now have placeholders converted // before being submitted to the database. Will also continue to support placeholder conversion on report // views to support notes within database that still contain placeholders (ie. notes that were created previous to // version 4.0). $field_names['content'] = add_escape_custom(replace($pid, $encounter, $field_names['content'])); reset($field_names); $newid = formSubmit("form_CAMOS", $field_names, $_GET["id"], $userauthorized); addForm($encounter, $CAMOS_form_name, $newid, "CAMOS", $pid, $userauthorized); } //deal with embedded camos submissions here foreach ($camos_array as $val) { if (preg_match("/^[\\s\\r\\n\\\\r\\\\n]*\$/", $val['content']) == 0) {
<?php require_once "../dompdf_config.inc.php"; // We check wether the user is accessing the demo locally $local = array("::1", "127.0.0.1"); $is_local = in_array($_SERVER['REMOTE_ADDR'], $local); if (isset($_POST["html"]) && $is_local) { $_POST["html"] = strip_escape_custom($_POST["html"]); $dompdf = new DOMPDF(); $dompdf->load_html($_POST["html"]); $dompdf->set_paper($_POST["paper"], $_POST["orientation"]); $dompdf->render(); $dompdf->stream("dompdf_out.pdf", array("Attachment" => false)); exit(0); } include "head.inc"; ?> <a name="demo"> </a> <h2>Demo</h2> <?php if ($is_local) { ?> <p>Enter your html snippet in the text box below to see it rendered as a PDF: (Note by default, remote stylesheets, images & inline PHP are disabled.)</p> <form action="<?php echo $_SERVER["PHP_SELF"]; ?>