function QuotedOrNull($fld)
{
    $fld = formDataCore($fld, true);
    if ($fld) {
        return "'{$fld}'";
    }
    return "NULL";
}

function InsertEvent($args)
{
    return sqlInsert("INSERT INTO openemr_postcalendar_events ( " . "pc_catid, pc_multiple, pc_aid, pc_pid, pc_title, pc_time, pc_hometext, " . "pc_informant, pc_eventDate, pc_endDate, pc_duration, pc_recurrtype, " . "pc_recurrspec, pc_startTime, pc_endTime, pc_alldayevent, " . "pc_apptstatus, pc_prefcatid, pc_location, pc_eventstatus, pc_sharing, pc_facility,pc_billing_location " . ") VALUES ( " . "'" . $args['form_category'] . "', " . "'" . $args['new_multiple_value'] . "', " . "'" . $args['form_provider'] . "', " . "'" . $args['form_pid'] . "', " . "'" . formDataCore($args['form_title']) . "', " . "NOW(), " . "'" . formDataCore($args['form_comments']) . "', " . "'" . $_SESSION['authUserID'] . "', " . "'" . $args['event_date'] . "', " . "'" . fixDate($args['form_enddate']) . "', " . "'" . $args['duration'] . "', " . "'" . ($args['form_repeat'] ? '1' : '0') . "', " . "'" . serialize($args['recurrspec']) . "', " . "'" . $args['starttime'] . "', " . "'" . $args['endtime'] . "', " . "'" . $args['form_allday'] . "', " . "'" . $args['form_apptstatus'] . "', " . "'" . $args['form_prefcat'] . "', " . "'" . $args['locationspec'] . "', " . "1, " . "1, " . (int) $args['facility'] . "," . (int) $args['billing_facility'] . " )");
}

     sqlInsert($query);
 } elseif ($_POST['hidden_selection'] == 'change_subcategory') {
     $preselect_subcategory_override = $_POST['change_subcategory'];
     $category_id = $_POST['hidden_category'];
     if ($category_id >= 0) {
         $subcategory = formDataCore($subcategory);
         $query = "INSERT INTO form_CAMOS_subcategory (user, subcategory, category_id) values ('" . $_SESSION['authUser'] . "', '";
         $query .= $subcategory . "', '" . $category_id . "')";
         sqlInsert($query);
     }
 } elseif ($_POST['hidden_selection'] == 'change_item') {
     $preselect_item_override = $_POST['change_item'];
     $category_id = $_POST['hidden_category'];
     $subcategory_id = $_POST['hidden_subcategory'];
     if ($category_id >= 0 && $subcategory_id >= 0) {
         $item = formDataCore($item);
         $query = "INSERT INTO form_CAMOS_item (user, item, content, subcategory_id) values ('" . $_SESSION['authUser'] . "', '";
         $query .= $item . "', '" . $content . "', '" . $subcategory_id . "')";
         sqlInsert($query);
     }
 } elseif ($_POST['hidden_selection'] == 'change_content') {
     $item_id = $_POST['hidden_item'];
     if ($item_id >= 0) {
         if ($_POST['hidden_mode'] == 'add to') {
             $tmp = sqlQuery("SELECT content from form_CAMOS_item where id = " . $item_id);
             if (isset($tmp)) {
                 $content .= "\n" . $tmp['content'];
             }
         }
         //    Not stripping slashes, unclear why, but will keep same functionality
         //     below just adds the escapes.

function oresData($name, $index)
{
    $s = isset($_POST[$name][$index]) ? $_POST[$name][$index] : '';
    return formDataCore($s, true);
}

/**
 * (Note this function is deprecated for new scripts and is only utilized to support legacy scripts)
 * This function is only being kept to support
 * previous functionality. If you want to trim
 * variables, this should be done using above
 * functions.
 *
 * @param string $s
 * @return string
 */
function formTrim($s)
{
    return formDataCore($s, true);
}

<?php

// Copyright (C) 2009 Rod Roark <[email protected]>
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
require_once "../globals.php";
require_once "{$srcdir}/sql.inc";
// Validation for non-unique external patient identifier.
$alertmsg = '';
if (!empty($_POST["form_pubpid"])) {
    $form_pubpid = trim($_POST["form_pubpid"]);
    $result = sqlQuery("SELECT count(*) AS count FROM patient_data WHERE " . "pubpid = '" . formDataCore($form_pubpid) . "'");
    if ($result['count']) {
        // Error, not unique.
        $alertmsg = xl('Warning: Patient ID is not unique!');
    }
}
require_once "{$srcdir}/pid.inc";
require_once "{$srcdir}/patient.inc";
require_once "{$srcdir}/options.inc.php";
// here, we lock the patient data table while we find the most recent max PID
// other interfaces can still read the data during this lock, however
// sqlStatement("lock tables patient_data read");
$result = sqlQuery("SELECT MAX(pid)+1 AS pid FROM patient_data");
$newpid = 1;
if ($result['pid'] > 1) {
    $newpid = $result['pid'];
}

function form2db($fldval)
{
    $fldval = trim($fldval);
    $fldval = formDataCore($fldval);
    return $fldval;
}

 // Check the current status of Audit Logging
 $auditLogStatusFieldOld = $GLOBALS['enable_auditlog'];
 $i = 0;
 foreach ($GLOBALS_METADATA as $grpname => $grparr) {
     foreach ($grparr as $fldid => $fldarr) {
         list($fldname, $fldtype, $flddef, $flddesc) = $fldarr;
         if ($fldtype == 'pwd') {
             $pass = sqlQuery("SELECT gl_value FROM globals WHERE gl_name = '{$fldid}'");
             $fldvalueold = $pass['gl_value'];
         }
         sqlStatement("DELETE FROM globals WHERE gl_name = '{$fldid}'");
         if (substr($fldtype, 0, 2) == 'm_') {
             if (isset($_POST["form_{$i}"])) {
                 $fldindex = 0;
                 foreach ($_POST["form_{$i}"] as $fldvalue) {
                     $fldvalue = formDataCore($fldvalue, true);
                     sqlStatement("INSERT INTO globals ( gl_name, gl_index, gl_value ) " . "VALUES ( '{$fldid}', '{$fldindex}', '{$fldvalue}' )");
                     ++$fldindex;
                 }
             }
         } else {
             if (isset($_POST["form_{$i}"])) {
                 $fldvalue = formData("form_{$i}", "P", true);
             } else {
                 $fldvalue = "";
             }
             if ($fldtype == 'pwd') {
                 $fldvalue = $fldvalue ? SHA1($fldvalue) : $fldvalueold;
             }
             if (fldvalue) {
                 // Need to force enable_auditlog_encryption off if the php mycrypt module

            $pos = 'Positive for ' . $pos . '.  ';
        }
        $field_names[$key] = $pos . $neg;
    } else {
        $field_names[$key] = $_POST[$key];
    }
    if ($field_names[$key] != '') {
        //          $field_names[$key] .= '.';
        $field_names[$key] = preg_replace('/\\s*,\\s*([^,]+)\\./', ' and $1.', $field_names[$key]);
        // replace last comma with 'and' and ending period
    }
}
//end special processing
foreach ($field_names as $k => $var) {
    #if (strtolower($k) == strtolower($var)) {unset($field_names[$k]);}
    $field_names[$k] = formDataCore($var);
    echo "{$var}\n";
}
if ($encounter == "") {
    $encounter = date("Ymd");
}
if ($_GET["mode"] == "new") {
    reset($field_names);
    $newid = formSubmit("form_Initial_New_Patient_Physical_Exam", $field_names, $_GET["id"], $userauthorized);
    addForm($encounter, "Initial New Patient Physical Exam", $newid, "Initial_New_Patient_Physical_Exam", $pid, $userauthorized);
} elseif ($_GET["mode"] == "update") {
    sqlInsert("update form_Initial_New_Patient_Physical_Exam set pid = {$_SESSION["pid"]},groupname='" . $_SESSION["authProvider"] . "',user='" . $_SESSION["authUser"] . "',authorized={$userauthorized},activity=1, date = NOW(), sweeter='" . $field_names["sweeter"] . "',bloater='" . $field_names["bloater"] . "',grazer='" . $field_names["grazer"] . "',general='" . $field_names["general"] . "',head='" . $field_names["head"] . "',eyes='" . $field_names["eyes"] . "',ears='" . $field_names["ears"] . "',nose='" . $field_names["nose"] . "',throat='" . $field_names["throat"] . "',oral_cavity='" . $field_names["oral_cavity"] . "',dentition='" . $field_names["dentition"] . "',neck='" . $field_names["neck"] . "',heart='" . $field_names["heart"] . "',lung='" . $field_names["lung"] . "',chest='" . $field_names["chest"] . "',breast='" . $field_names["breast"] . "',male='" . $field_names["male"] . "',female='" . $field_names["female"] . "',note='" . $field_names["note"] . "',abdomen='" . $field_names["abdomen"] . "',scar='" . $field_names["scar"] . "',umbilius='" . $field_names["umbilius"] . "',groins='" . $field_names["groins"] . "',extremities='" . $field_names["extremities"] . "',peripheral_pulses='" . $field_names["peripheral_pulses"] . "',right_peripheral_pulses='" . $field_names["right_peripheral_pulses"] . "',left_peripheral_pulses='" . $field_names["left_peripheral_pulses"] . "',neurological='" . $field_names["neurological"] . "',right_neurological='" . $field_names["right_neurological"] . "',left_neurological='" . $field_names["left_neurological"] . "',rectum='" . $field_names["rectum"] . "',pelvic='" . $field_names["pelvic"] . "',assessment='" . $field_names["assessment"] . "',note2='" . $field_names["note2"] . "',recommendations='" . $field_names["recommendations"] . "',note3='" . $field_names["note3"] . "' where id={$id}");
}
$_SESSION["encounter"] = $encounter;
formHeader("Redirecting....");
formJump();

function process_commands(&$string_to_process, &$camos_return_data)
{
    //First, handle replace function as special case.  full depth of inserts should be evaluated prior
    //to evaluating other functions in final string assembly.
    $replace_finished = FALSE;
    while (!$replace_finished) {
        if (preg_match_all("/\\/\\*\\s*replace\\s*::.*?\\*\\//", $string_to_process, $matches)) {
            foreach ($matches[0] as $val) {
                $comm = preg_replace("/(\\/\\*)|(\\*\\/)/", "", $val);
                $comm_array = split('::', $comm);
                //array where first element is command and rest are args
                $replacement_item = trim($comm_array[1]);
                //this is the item name to search for in the database.  easy.
                $replacement_text = '';
                $query = "SELECT content FROM form_CAMOS_item WHERE item like '" . $replacement_item . "'";
                $statement = sqlStatement($query);
                if ($result = sqlFetchArray($statement)) {
                    $replacement_text = $result['content'];
                }
                $replacement_text = formDataCore($replacement_text);
                $string_to_process = str_replace($val, $replacement_text, $string_to_process);
            }
        } else {
            $replace_finished = TRUE;
        }
    }
    //date_add is a function to add a given number of days to the date of the current encounter
    //this will be useful for saving templates of prescriptions with 'do not fill until' dates
    //I am going to implement with mysql date functions.
    //I am putting this before other functions just like replace function because it is replacing text
    //needs to be here.
    if (preg_match("/\\/\\*\\s*date_add\\s*::\\s*(.*?)\\s*\\*\\//", $string_to_process, $matches)) {
        $to_replace = $matches[0];
        $days = $matches[1];
        $query = "select date_format(date_add(date, interval {$days} day),'%W, %m-%d-%Y') as date from form_encounter where " . "pid = " . $_SESSION['pid'] . " and encounter = " . $_SESSION['encounter'];
        $statement = sqlStatement($query);
        if ($result = sqlFetchArray($statement)) {
            $string_to_process = str_replace($to_replace, $result['date'], $string_to_process);
        }
    }
    if (preg_match("/\\/\\*\\s*date_sub\\s*::\\s*(.*?)\\s*\\*\\//", $string_to_process, $matches)) {
        $to_replace = $matches[0];
        $days = $matches[1];
        $query = "select date_format(date_sub(date, interval {$days} day),'%W, %m-%d-%Y') as date from form_encounter where " . "pid = " . $_SESSION['pid'] . " and encounter = " . $_SESSION['encounter'];
        $statement = sqlStatement($query);
        if ($result = sqlFetchArray($statement)) {
            $string_to_process = str_replace($to_replace, $result['date'], $string_to_process);
        }
    }
    //end of special case of replace function
    $return_value = 0;
    $camos_return_data = array();
    // to be filled with additional camos form submissions if any embedded
    $command_array = array();
    //to be filled with potential commands
    $matches = array();
    //to be filled with potential commands
    if (!preg_match_all("/\\/\\*.*?\\*\\//s", $string_to_process, $matches)) {
        return $return_value;
    }
    $command_array = $matches[0];
    foreach ($command_array as $val) {
        //process each command
        $comm = preg_replace("/(\\/\\*)|(\\*\\/)/", "", $val);
        $comm_array = split('::', $comm);
        //array where first element is command and rest are args
        //Here is where we process particular commands
        if (trim($comm_array[0]) == 'billing') {
            array_shift($comm_array);
            //couldn't do it in 'if' or would lose element 0 for next if
            //insert data into the billing table, see, easy!
            $type = trim(array_shift($comm_array));
            $code = trim(array_shift($comm_array));
            $text = trim(array_shift($comm_array));
            $modifier = trim(array_shift($comm_array));
            $units = trim(array_shift($comm_array));
            //make default units 1 if left blank - bm
            if ($units == '') {
                $units = 1;
            }
            $fee = sprintf("%01.2f", trim(array_shift($comm_array)));
            //make default fee 0.00 if left blank
            if ($fee == '') {
                $fee = sprintf("%01.2f", '0.00');
            }
            //in function call 'addBilling' note last param is the remainder of the array.  we will look for justifications here...
            addBilling2($encounter, $type, $code, $text, $modifier, $units, $fee, $comm_array);
        }
        if (trim($comm_array[0]) == 'appt') {
            array_shift($comm_array);
            $days = trim(array_shift($comm_array));
            $time = trim(array_shift($comm_array));
            addAppt($days, $time);
        }
        if (trim($comm_array[0]) == 'vitals') {
            array_shift($comm_array);
            $weight = trim(array_shift($comm_array));
            $height = trim(array_shift($comm_array));
            $systolic = trim(array_shift($comm_array));
            $diastolic = trim(array_shift($comm_array));
//.........这里部分代码省略.........

<?php 
$MAXSHOW = 100;
// maximum number of results to display at once
// Construct query and save search parameters as form fields.
// An interesting requirement is to sort on the number of matching fields.
$message = "";
$numfields = 0;
$relevance = "0";
$where = "1 = 0";
foreach ($_REQUEST as $key => $value) {
    if (substr($key, 0, 3) != 'mf_') {
        continue;
    }
    // "match field"
    $fldname = substr($key, 3);
    $avalue = formDataCore($value);
    $hvalue = htmlspecialchars(strip_escape_custom($value));
    // pubpid requires special treatment.  Match on that is fatal.
    if ($fldname == 'pubpid') {
        $relevance .= " + 1000 * ( {$fldname} LIKE '{$avalue}' )";
    } else {
        $relevance .= " + ( {$fldname} LIKE '{$avalue}' )";
    }
    $where .= " OR {$fldname} LIKE '{$avalue}'";
    echo "<input type='hidden' name='{$key}' value='{$hvalue}' />\n";
    ++$numfields;
}
$sql = "SELECT *, ( {$relevance} ) AS relevance, " . "DATE_FORMAT(DOB,'%m/%d/%Y') as DOB_TS " . "FROM patient_data WHERE {$where} " . "ORDER BY relevance DESC, lname, fname, mname " . "LIMIT {$fstart}, {$MAXSHOW}";
$rez = sqlStatement($sql);
$result = array();
while ($row = sqlFetchArray($rez)) {