Some quick things to point out from some quick review of the adodb code:
We should not use queries with hybrid binding and add_escape_custom(). It should be all one method (for example, will change the core form routines to all use add_escape_custom(), which will stop this bug). Will make this guideline on the security model method page.
From reviewing the Execute function in adodb, it appears that it will not seek out placemaker (ie. ?) unless a binding array is passed. So, should be able to safely completely migrate to adodb someday (likely will be necessary when do the mysqli migration in future).
-brady OpenEMR
I already had placed the following in the new security method page:
“Exception to step 3 for when there are a large number of variable in the sql query(if do this, need to treat all variables this way; meaning do not combine the two methods in one statement to avoid the ‘?’ character within datafields breaking things)(also ensure surround the variable with the single quotes)” http://www.open-emr.org/wiki/index.php/Codebase_Security#SQL-Injection_and_Cross-Scripting_Prevention
Guess I should of listened to my own instructions when I implemented the forms functions into the new security model. Anyhow, good to get confirmation that this is a bad idea to do.
Also committed some more session leak fixes. Will hopefully crank more some more of these session leaks and branch the code soon (will also await the “Problem with usernames and case” bug fix).
Created the rel-412 branch, so have officially entered testing phase (ie. bug fixes only; in theory at least). Here’s the Release Process wiki page with links to the 4.1.2 dev demo, daily 4.1.2 builds, docs, etc.: http://www.open-emr.org/wiki/index.php/QA/Release_Process#Version_4.1.2
Brady,
Would it be difficult to make it so that the 4.1.2 demo only resets manually? I suspect we would get better testing from the community if the data was more persistent. We could also get some sense of what things have been tested by looking at what people have done.
There aren’t going to be daily code updates at this point, so I don’t think it make sense to update what people are testing daily. This might also be a good opportunity to get some crowd sourced testing data built up over a few weeks.
It would also be useful to have icd9 codes loaded on the demo site for testing. Either as part of the daily rebuild, or loaded one time on a persistent site.
For the persistent demo, that is a pain to manage because they keep getting broken (ie. generally a password change or sometimes havok in the phpmyadmin or lists/layouts stuff). Having it daily refresh places them on autopilot and then don’t ever feel the need to manually refresh them (i.e. my response via email, which relatively frequently happens BTW, is to wait until the morning).
Feel free to post more persistent demo links on the developer demo page. The more the better.
The reason I keep the developer demos bare (ie. no sample data) is that it forces testing of the basics, which are the more painful bugs (prior to these development demos, most releases had a couple of these very basic bugs). Anybody, please feel free to make more demo sets, because my demo set is based on legacy php/mandriva at this point(only a matter of time before they just stop working); would be really nice to get a comparable set on ubuntu.
I feel that having a more persistent test bed is important for proper testing, so I signed up for a virtual server and installed OpenEMR on it. However, the performance of this server is so poor that it’s likely to frustrate folks. Oh well.
Please test new installs and upgrades. Especially need lots of testing of the upgrades. (note that there are now instruction sets for these things here): http://www.open-emr.org/wiki/index.php/QA/Release_Process#Documentation
(Please feel free to modify and improve these documents, including the User Manual wiki page linked there)
If you have contributed anything (can include testing, translating, posting on forums or even just telling folks about OpenEMR or anything else; if you want to be on it, just add it or let me know and I’ll add you) to the project: http://www.open-emr.org/wiki/index.php/OpenEMR_Acknowledgments
(this list goes into the “Acknowledgments, Licensing and Certification” link on the main OpenEMR login page)
There seems to be an issue with the new pdf patient report. The SOAP form is only occupying the left-most column. This only happens in the pdf file, not the HTML printed version. There’s also a funky page break thing happening. Check out the development demo under patient Jane Doe for an example.
I think your code + this code essentially equals “very cool”:
I think it makes sense since both of these submissions are likely almost ready to commit (haven’t yet reviewed completely yet) that we could package these into 4.1.2 release and have a nice theme for the release; aka “interoperability” or something of that nature. Since now a CCR can be created, sent via Direct, received via Direct and the data from the CCR can be imported into OpenEMR’s database. Is there a nice name for this or quick blurb that would precisely describe it for the release information?
Just committed both ZH Healthcare’s and EMR Direct’s(Luis) commits to master and rel-412. Placed this statement in Release Features that pertains to these new features:
“Interoperability Support with Electronic Transfer and Incorporation of Patient Records via Standardized Continuity of Care Records”
(Feel free to change/improve this description) http://www.open-emr.org/wiki/index.php/Release_Features#Version_4.1.2
Please continue TESTING, TESTING, TESTING. At this point, planning to to freeze the translations this weekend and then push ahead with the release next weekend (assuming several more bug/security fixes are dealt with).
Please keep TESTING, TESTING, TESTING. At this point, release is likely ready to go anytime over the next 2 weeks (whenever I have a couple solid blocks of time). The things to test heavily are the install/upgrades on windows/linux via the Daily Snapshots: http://www.open-emr.org/wiki/index.php/QA/Release_Process#Testing_vehicles
I’ve got some significant improvements to e-labs coming in the next few days after a client is done testing… support for documents embedded in HL7 results and some various smaller things. Might be worth waiting for.
For one production site, processing of appx 300 orders to date with (4.1.1 + Rod’s code and our changes) has worked well. Not sure if it is better to hold main release or put labs related stuff as patch 1 or later. There was a long prep time to get our lab partners to connect to us even when we were ready.