I just have a quick question before I review this code. Was it created with a form maker (if so, was it formscript.pl or xmlformgen)? (knowing this just helps me when reviewing and looking through the forms code)
Brady,
We created those all 3 forms based on the OpenEMR predefined forms,(i.e misc_billing_option).Its a custom form,so we didn’t use formscript.pl and xmlformgen.
As per yehster comments we applied the new security module rules into Aftercare plan forms,Updated commit link is here.
I also just realized that you are nesting formData() functions within the add_escape_custom() functions in the save.php scripts, which is incorrect (it will cause double escaping of magic quotes and of sql escaping). See my three comments in the following commit: http://github.com/openemr/openemr/commit/2f7b2534a332758f8835fcf47b5090b79f69a424
(search for bradymiller to see them)
Please fix these by removing the formData function calls and replacing variables within the add_escape_custom() with $_POST. Also test it a bit to ensure the fields are populating after doing this.
And to rest of community, I have placed these three forms within the interface/forms directory for now since they are good forms to “replicate” since they 100% follow the new security model. But will leave it up to community if it makes more sense to move them to the contrib/forms directory.
Thanks for the contribution and the quick bug fix. I committed your bug fix to sourceforge and I also added one more minor bug fix following your commit (since using the add_escape_custom() function, need to include the library/formdata.inc.php library).